IBM WebSphere Application Server Liberty 路径遍历漏洞

The primary impact of CVE-2025-14914 is the potential for arbitrary code execution on the affected WebSphere Application Server Liberty instance. An attacker, possessing privileged access, can upload a zip file containing path traversal sequences (e.g., ../../../../) to overwrite critical system files. This overwrite could lead to the execution of malicious code, granting the attacker complete control over the server. The blast radius extends to any data processed by the Liberty server, including sensitive user data, application configurations, and potentially database credentials. This vulnerability shares similarities with other path traversal exploits where attackers leverage file system navigation to bypass security controls.

Organizations heavily reliant on WebSphere Application Server Liberty for hosting critical applications are at significant risk. This includes those using legacy configurations with weak access controls and those deploying Liberty in shared hosting environments where multiple applications share the same server instance. Applications that handle sensitive data, such as financial or healthcare information, are particularly vulnerable.

• linux / server: Monitor Liberty server logs for suspicious file upload attempts containing path traversal sequences (e.g., ../../). Use journalctl -f to monitor in real-time.

journalctl -f | grep 'path traversal'

• java: Examine application server logs for errors related to file access or modification. Use Java profiling tools to monitor file system activity. • generic web: Use curl to test file upload endpoints with crafted filenames containing path traversal sequences. Check for unexpected file modifications.

curl -F '[email protected]' http://your-liberty-server/upload

1. 2026-02-02Disclosure

   disclosure

1. 已保留2025-12-18
2. 发布日期2026-02-02
3. 修改日期2026-02-26
4. EPSS 更新日期2026-03-23

The recommended mitigation for CVE-2025-14914 is to upgrade to a patched version of WebSphere Application Server Liberty as soon as possible. IBM has released a fix, and the specific version number should be consulted in the official security advisory. If immediate patching is not feasible, consider implementing a Web Application Firewall (WAF) with rules to block the upload of zip files containing suspicious path traversal sequences. Additionally, restrict file upload privileges to only authorized users and implement strict input validation to prevent malicious file names. After upgrade, verify the fix by attempting to upload a test zip file with a path traversal sequence and confirming that the upload is blocked.