Apache Jena Flaws (CVE-2025-49656 and CVE-2025-50151) Expose Semantic Web Apps to File System Compromise
Do Son 
Apache Jena, a widely-used Java framework for building semantic web and linked data applications, has released an important security update addressing two vulnerabilities—CVE-2025-49656 and CVE-2025-50151—that could be exploited by administrative users to compromise the integrity of the server file system.
Apache Jena is a free and open source Java framework for building semantic web and Linked Data applications. The framework is composed of different APIs interacting together to process RDF data.
The first flaw, CVE-2025-49656, allows administrative users to create database files outside the designated server directory space via the Fuseki Admin UI.
“Users with administrator access can create databases files outside the files area of the Fuseki server. This issue affects Apache Jena version up to 5.4.0,” the advisory explains.
This vulnerability could allow attackers with admin privileges to plant files in unintended locations, potentially leading to system compromise or misuse.
The second vulnerability, CVE-2025-50151, arises from improper validation of configuration files uploaded via the admin interface. File access paths within these uploaded configurations were not being validated, which opened the door to arbitrary file access or manipulation.
“File access paths in configuration files uploaded by users with administrator access are not validated. This issue affects Apache Jena version up to 5.4.0,” the advisory writes.
This issue could enable rogue administrators to insert harmful configurations or alter operational parameters in unintended ways.
To mitigate these issues, all users are strongly encouraged to upgrade to Apache Jena version 5.5.0, which implements safeguards against directory traversal and configuration file path manipulation.
Related Posts:
- New WordPress Malware Masquerades as Legit Plugin with Data Exfiltration and RCE Capabilities
- WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
- 3.2 Million Users Exposed by Malicious Browser Extensions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
