CVE-2026-57898
Eclipse Foundation · Eclipse BaSyx - Java Server SDK
An unauthenticated arbitrary file write vulnerability in the Eclipse BaSyx Java Server SDK allows remote attackers to write files to the server filesystem via the AAS thumbnail API.
Executive summary
A critical path traversal vulnerability in the Eclipse BaSyx Java Server SDK allows unauthenticated attackers to execute arbitrary code by writing malicious files to the server.
Vulnerability
The application fails to properly sanitize the fileName request parameter in the AAS thumbnail API when using a MongoDB backend. This allows an unauthenticated attacker to supply a path-traversal filename, enabling the writing of arbitrary files to the host system.
Business impact
The vulnerability carries a CVSS score of 9.0 (Critical), reflecting the potential for full system compromise. Successful exploitation could allow an attacker to achieve remote code execution, leading to total loss of confidentiality, integrity, and availability of the affected server and potential lateral movement within the network.
Remediation
Immediate Action: Upgrade to Eclipse BaSyx Java Server SDK version 2.0.0-milestone-13 or later immediately.
Proactive Monitoring: Inspect server logs for unusual requests to the AAS thumbnail API, specifically those containing path-traversal sequences such as "../" or absolute file paths.
Compensating Controls: If patching is delayed, isolate the application from the public internet or implement a Web Application Firewall (WAF) rule to block requests with suspicious filename patterns targeting the thumbnail upload endpoint.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this vulnerability and the potential for remote code execution, administrators should prioritize updating to version 2.0.0-milestone-13. The ability for an unauthenticated attacker to write files to the server creates a high-risk scenario that requires immediate remediation to prevent system compromise.