GHSA-g88v-2j67-9rmx: Fess has Insecure Temporary File Permissions

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-48382

Fess has Insecure Temporary File Permissions

Low severity GitHub Reviewed Published May 24, 2025 in codelibs/fess

Package

maven org.codelibs.fess:fess (Maven)

Affected versions

< 14.19.2

Summary

Fess (an open-source Enterprise Search Server) creates temporary files without restrictive permissions, which may allow local attackers to read sensitive information from these temporary files.

Details

The createTempFile() method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local users to access sensitive data contained in these files.

Impact

This issue primarily affects environments where Fess is deployed in a shared or multi-user context. Typical single-user or isolated deployments have minimal or negligible practical impact.

Workarounds

Ensure local access to the environment running Fess is restricted to trusted users only.

References

• CVE-2022-24823: Netty temporary file permissions vulnerability

References

• GHSA-g88v-2j67-9rmx
• https://nvd.nist.gov/vuln/detail/CVE-2025-48382
• codelibs/fess@25b2009

Published to the GitHub Advisory Database

May 27, 2025