Platform
java
Component
org.opencastproject:opencast-user-interface-configuration
Fixed in
17.7.1
18.0.1
17.7
CVE-2025-55202 describes a Path Traversal vulnerability discovered in the OpenCast UI Configuration module. This vulnerability allows attackers, under specific conditions, to access files within adjacent directories sharing a common path prefix. Versions of OpenCast UI Configuration up to and including 9.9 are affected. A fix is available in version 17.7.
The vulnerability stems from insufficient path traversal protections within the UI configuration module. While full path traversal is not possible, an attacker can potentially gain access to files located in a directory that shares a prefix with the default UI configuration directory (e.g., /etc/opencast/ui-config and /etc/opencast/ui-config-hidden). This access is contingent on the target files being readable by the OpenCast process. The potential impact includes unauthorized access to sensitive configuration files or other data stored within those adjacent directories. This vulnerability does not allow arbitrary code execution.
This CVE was published on 2025-08-29. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept exploits are currently known. The vulnerability's impact is limited, requiring specific directory structures and file permissions to be exploitable, which may reduce the likelihood of widespread exploitation.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
The primary mitigation for CVE-2025-55202 is to upgrade OpenCast UI Configuration to version 17.7 or later, which includes the necessary path traversal protections. If an immediate upgrade is not feasible, consider restricting file permissions on the UI configuration directory and its adjacent directories to prevent unauthorized access. Ensure that only the OpenCast process has read access to these files. Regularly review file permissions and access controls to maintain a secure configuration. After upgrade, confirm by attempting to access files outside the intended UI configuration directory via the UI and verifying access is denied.
Update Opencast to version 17.7 or higher, or to version 18.1 to address the path traversal vulnerability. As a temporary measure, review the UI configuration and ensure that there are no folders that start with the same path as the ui-config folder.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-55202 is a Path Traversal vulnerability affecting OpenCast UI Configuration versions up to 9.9, allowing potential access to files in adjacent directories under specific conditions.
You are affected if you are using OpenCast UI Configuration version 9.9 or earlier. Upgrade to version 17.7 to mitigate the vulnerability.
Upgrade OpenCast UI Configuration to version 17.7 or later. As a temporary workaround, restrict file permissions on the UI configuration directory and its adjacent directories.
There is currently no evidence of active exploitation of CVE-2025-55202, and no public proof-of-concept exploits are known.
Refer to the OpenCast project's security advisories and release notes for details on CVE-2025-55202 and the corresponding fix: [https://opencastproject.org/security/](https://opencastproject.org/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.