Security Advisory: CVE-2025-48976 – Conditional Exposure in Skyve 8

Date Published: 2025-07-16
CVE Reference: CVE-2025-48976
Component: Apache Commons FileUpload (via PrimeFaces)
Affected: Skyve 8 (under specific configurations)
Not Affected: Skyve 9 and later

Summary

CVE-2025-48976 describes a vulnerability in Apache Commons FileUpload, where specially crafted multipart file uploads can exhaust server memory, potentially resulting in a Denial of Service (DoS). This vulnerability may be triggered in environments using Commons FileUpload to handle incoming form data.

After a detailed review, we have confirmed:

  • Skyve 9 is not impacted

  • Skyve 8 is only vulnerable under specific conditions

Skyve 9 – Not Vulnerable

Skyve 9 does not use Apache Commons FileUpload for processing file uploads. If your application is running on Skyve 9, no action is required.

Skyve 8 – Conditionally Vulnerable

Skyve 8 is only exposed to CVE-2025-48976 if any of the following apply:

  1. Your application explicitly configures PrimeFaces to use the commons uploader in your web.xml:

    • <context-param><param-name>primefaces.UPLOADER</param-name><param-value>commons</param-value></context-param>

  2. You are using JSF (JavaServer Faces) version earlier than 2.2, which can occur if:

    • You are running WildFly 7 or earlier, or

    • You have packaged a legacy JSF implementation with your application

Recommended Actions

If you’re using Skyve 8, we recommend:

  • Avoid using the commons uploader. Use "native" or "auto" instead

  •  Ensure JSF 2.2 or later is used, either by upgrading your application server (e.g. to WildFly 8+) or updating bundled JSF libraries

  • Consider upgrading to Skyve 9, which is not affected by this issue and benefits from additional security and performance improvements

Need Help?

If you’re unsure whether your deployment is affected or need assistance with mitigation, please contact the Skyve team via GitHub Discussions, Slack or your usual support channel.

Thank you for your continued trust in Skyve. We remain committed to proactively reviewing security threats and keeping our customers informed.

Ben PetitosecurityComment