CVE-2025-14914: Path Traversal in WebSphere Application Server Liberty
Platform
ibm
Component
websphere-application-server-liberty
Fixed in
26.0.1
CVE-2025-14914 describes a Path Traversal vulnerability affecting IBM WebSphere Application Server Liberty. A privileged user can exploit this flaw by uploading a specially crafted zip archive containing path traversal sequences, allowing them to overwrite files and potentially achieve arbitrary code execution. This vulnerability impacts versions 17.0.0.3 through 26.0.0.1, and a fix is available from IBM.
Impact and Attack Scenarios
The primary impact of CVE-2025-14914 is the potential for arbitrary code execution on the affected WebSphere Application Server Liberty instance. An attacker, possessing privileged access, can upload a zip file containing path traversal sequences (e.g., ../../../../) to overwrite critical system files. This overwrite could lead to the execution of malicious code, granting the attacker complete control over the server. The blast radius extends to any data processed by the Liberty server, including sensitive user data, application configurations, and potentially database credentials. This vulnerability shares similarities with other path traversal exploits where attackers leverage file system navigation to bypass security controls.
Exploitation Context
CVE-2025-14914 was publicly disclosed on 2026-02-02. Its inclusion in the CISA KEV catalog (KEV status unknown at this time) would indicate a higher probability of exploitation. Public proof-of-concept (POC) code is currently unavailable, but the nature of path traversal vulnerabilities often makes them relatively easy to exploit once a suitable attack vector is identified. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting WebSphere Application Server Liberty.
Threat Intelligence
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- High — requires a race condition, non-default configuration, or specific circumstances. Harder to exploit reliably.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- Required — victim must take an action: open a file, click a link, or visit a crafted page.
- Scope
- Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The recommended mitigation for CVE-2025-14914 is to upgrade to a patched version of WebSphere Application Server Liberty as soon as possible. IBM has released a fix, and the specific version number should be consulted in the official security advisory. If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block the upload of zip files containing suspicious path traversal sequences. Additionally, restrict file upload privileges to only authorized users and implement strict input validation to prevent malicious file names. After upgrade, verify the fix by attempting to upload a test zip file with a path traversal sequence and confirming that the upload is blocked.
How to fix
Actualice IBM WebSphere Application Server Liberty a una versión posterior a 26.0.0.1 que haya solucionado la vulnerabilidad de path traversal. Consulte el advisory de IBM para obtener más detalles sobre las versiones corregidas y las instrucciones de actualización.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2025-14914 — Path Traversal in WebSphere Application Server Liberty?
CVE-2025-14914 is a Path Traversal vulnerability in WebSphere Application Server Liberty versions 17.0.0.3–26.0.0.1, allowing attackers to overwrite files and potentially achieve arbitrary code execution.
Am I affected by CVE-2025-14914 in WebSphere Application Server Liberty?
If you are running WebSphere Application Server Liberty versions 17.0.0.3 through 26.0.0.1, you are potentially affected by this vulnerability. Check your version and upgrade accordingly.
How do I fix CVE-2025-14914 in WebSphere Application Server Liberty?
Upgrade to a patched version of WebSphere Application Server Liberty as recommended by IBM. Implement WAF rules as a temporary mitigation if patching is delayed.
Is CVE-2025-14914 being actively exploited?
While no active exploitation has been publicly confirmed, the nature of path traversal vulnerabilities suggests a potential for exploitation. Monitor security advisories and threat intelligence feeds.
Where can I find the official WebSphere Application Server advisory for CVE-2025-14914?
Refer to the official IBM Security Bulletin for CVE-2025-14914 for detailed information and the latest updates: [https://www.ibm.com/support/kbdoc/](https://www.ibm.com/support/kbdoc/)
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.