JVNDB-2025-000015

RevoWorks SCVX and RevoWorks Browser vulnerable to incorrect resource transfer between spheres

RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. contain an incorrect resource transfer between spheres vulnerability.

RevoWorks SCVX and RevoWorks Browser provided by J's Communication Co., Ltd. build a sandbox environment isolated from a server or a client's local environment. These products provide the function enabling execution of sanitizing files when downloading files from the sandbox environment to the local environment. However, a defect in this function was found which some files of .csv and .eml are not processed for sanitization when downloading (CWE-669).

J's Communication Co., Ltd. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
JPCERT/CC and J's Communication Co., Ltd. coordinated under the Information Security Early Warning Partnership.

J's Communication Co., Ltd.

• RevoWorks Browser 2.2.100 and earlier 2 series versions
• RevoWorks Browser 3.0.1 and earlier 3 series versions
• RevoWorks SCVX 4.0.234 and earlier 4 series versions
• RevoWorks SCVX 5.0.7 and earlier 5 series versions

Malicious files may be downloaded to the system where using the product.

RevoWorks SCVX
[Apply the Patch]
Apply the patch according to the information provided by the developer.

• RevoWorks SCVX4.0.x: Patch only


• RevoWorks SCVX5.0.x: Patch and SCVX Image version update (SCVX Image5.0.16_446) required

RevoWorks Browser
[Update the Software]
The developer has released RevoWorks Browser2.2.101 and RevoWorks Browser3.0.2 that address the vulnerability.

J's Communication Co., Ltd.

• J's Communication Co., Ltd. : [Important] Vulnerability when downloading sanitized files in RevoWorks products (in Japanese)

1. No Mapping(CWE-Other) [IPA Evaluation]

1. CVE-2025-26698

1. JVN : JVN#91300609

• [2025/02/19]
    Web page was published