Zip Path Traversal Vulnerability in Mendix Studio Pro's Module Installation Process
Monitor6.1SSA-627195Jun 12, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Mendix Studio Pro contains a path traversal vulnerability in the module installation process. When a developer installs a module, a malicious zip file could extract and write files to directories outside the project folder, allowing an attacker to modify arbitrary files on the developer's machine. Affected versions: Studio Pro 8 (before 8.18.35), 9 (before 9.24.35), 10 (before 10.23.0), 10.6 (before 10.6.24), 10.12 (before 10.12.17), 10.18 (before 10.18.7), and 11 (before 11.0.0).
What this means
What could happen
A developer could be tricked into installing a malicious Mendix module that writes files outside the project directory, potentially compromising the development environment or injecting malicious code into applications being built. This primarily affects software development environments rather than operational plant systems.
Who's at risk
Mendix developers and development teams using Mendix Studio Pro versions 8, 9, 10, or 11. This affects internal software development environments and tools used to build custom applications for utility operations, SCADA extensions, or business logic applications.
How it could be exploited
An attacker creates a malicious Mendix module package with a zip file containing path traversal sequences (e.g., ../../). When a developer installs this module through Mendix Studio Pro's module installation process, the zip extraction overwrites or creates files in arbitrary locations on the developer's machine outside the intended project folder.
Prerequisites
- Developer must manually install a malicious module package from an untrusted source
- Mendix Studio Pro must be running on the developer's machine
- User interaction required (developer clicks install)
requires user interaction to triggerlow exploit probability (0.1% EPSS)affects development environments, not operational systemspath traversal can modify arbitrary files
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (7)
7 with fix
ProductAffected VersionsFix Status
Mendix Studio Pro 8< V8.18.358.18.35
Mendix Studio Pro 9< V9.24.359.24.35
Mendix Studio Pro 10< V10.23.010.23.0
Mendix Studio Pro 10.6< V10.6.2410.6.24
Mendix Studio Pro 10.12< V10.12.1710.12.17
Mendix Studio Pro 10.18< V10.18.710.18.7
Mendix Studio Pro 11< V11.0.011.0.0
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDInstruct developers to only install modules from trusted and verified sources
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
Mendix Studio Pro 8
HOTFIXUpdate Mendix Studio Pro 8 to version 8.18.35 or later
Mendix Studio Pro 9
HOTFIXUpdate Mendix Studio Pro 9 to version 9.24.35 or later
Mendix Studio Pro 10
HOTFIXUpdate Mendix Studio Pro 10 to version 10.23.0 or later
HOTFIXUpdate Mendix Studio Pro 10.6 to version 10.6.24 or later
HOTFIXUpdate Mendix Studio Pro 10.12 to version 10.12.17 or later
HOTFIXUpdate Mendix Studio Pro 10.18 to version 10.18.7 or later
Mendix Studio Pro 11
HOTFIXUpdate Mendix Studio Pro 11 to version 11.0.0 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b1920c51-1027-48c1-b644-871e48833b5f