CVE-2025-40592

CVE-2025-40592 PUBLISHED

Assigner: siemens
Reserved: 16.04.2025 Published: 12.06.2025 Updated: 08.07.2025

A vulnerability has been identified in Mendix Studio Pro 10 (All versions < V10.23.0), Mendix Studio Pro 10.12 (All versions < V10.12.17), Mendix Studio Pro 10.18 (All versions < V10.18.7), Mendix Studio Pro 10.6 (All versions < V10.6.24), Mendix Studio Pro 11 (All versions < V11.0.0), Mendix Studio Pro 8 (All versions < V8.18.35), Mendix Studio Pro 9 (All versions < V9.24.35). A zip path traversal vulnerability exists in the module installation process of Studio Pro. By crafting a malicious module and distributing it via (for example) the Mendix Marketplace, an attacker could write or modify arbitrary files in directories outside a developer’s project directory upon module installation.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:N/SI:H/SA:N
CVSS Score: 4.6

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	High
Attack Requirements	None	Availability	None	Availability	None
Privileges Required	None
User Interaction	Active

CVSS 4.0

Product Status

Vendor	Siemens
Product	Mendix Studio Pro 10
Versions	Default: unknown affected from 0 to V10.23.0 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 10

Versions

Default: unknown

affected from 0 to V10.23.0 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 10.12
Versions	Default: unknown affected from 0 to V10.12.17 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 10.12

Versions

Default: unknown

affected from 0 to V10.12.17 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 10.18
Versions	Default: unknown affected from 0 to V10.18.7 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 10.18

Versions

Default: unknown

affected from 0 to V10.18.7 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 10.6
Versions	Default: unknown affected from 0 to V10.6.24 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 10.6

Versions

Default: unknown

affected from 0 to V10.6.24 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 11
Versions	Default: unknown affected from 0 to V11.0.0 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 11

Versions

Default: unknown

affected from 0 to V11.0.0 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 8
Versions	Default: unknown affected from 0 to V8.18.35 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 8

Versions

Default: unknown

affected from 0 to V8.18.35 (excl.)

Vendor	Siemens
Product	Mendix Studio Pro 9
Versions	Default: unknown affected from 0 to V9.24.35 (excl.)

Vendor

Siemens

Product

Mendix Studio Pro 9

Versions

Default: unknown

affected from 0 to V9.24.35 (excl.)

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE