Nov 2025 Security Patch for VitaraMaps

Security patch for potentiall SSRF vulnerability

VitaraMaps SSRF Security Patch Drop-IN –Deployment Instructions

It is designed as a drop-in replacement for VitaraMaps versions 5.3.1 through 5.3.6.

Download URL: https://vchost.vitaracharts.com/distributions/Maps/5.3.6.175/dropIn/VitaraMaps.zip

https://vchost.vitaracharts.com/distributions/Maps/5.3.6.175/dropIn/VitaraMapsLibrary.zip

This patch provides the updated security-hardened versions of fileLoader.jsp, fileLoader.aspx.

Follow the steps below to deploy the patch in all required MicroStrategy components.

1. Contents of the Patch

The patch package contains:

VitaraMaps/

fileLoader.jsp

fileLoader.aspx

VitaraMapsLibrary/

fileLoader.jsp

fileLoader.aspx

These files must overwrite the existing versions of the files in the VitaraMaps and VitaraMapsLibrary installation.

2. Where to Apply the Patch

The patch must be applied in all environments where VitaraMaps are used:

  1. MicroStrategy Web

<WebRoot>/plugins/VitaraMaps/

  1. MicroStrategy Library

<LibraryRoot>/plugins/VitaraMapsLibrary/

  1. PDF Export Engine (Export Server)

<PDFExportRoot>/plugins/VitaraMaps/

Each of these components maintains its own plugins folder, so all relevant locations should be updated.

3. Deployment Steps

Step 1 — Extract the Patch

Download and unzip:

  • VitaraMaps.zip

  • VitaraMapsLibrary.zip (Library distribution only)

You will see directories:

VitaraMaps/

VitaraMapsLibrary/ (for Library only)

containing the updated fileLoader files.

Step 2 — Copy Over Existing Installation

Navigate to each MicroStrategy component’s VitaraMaps folder, for example:

<WebRoot>/plugins/VitaraMaps/

<LibraryRoot>/plugins/VitaraMapsLibrary/

<PDFExportResources>/plugins/VitaraMaps/

Then:

  • Copy the extracted VitaraMaps (or VitaraMapsLibrary) folder on top of the existing folder (i.e. into the ~/plugins/ folder). Alternatively you can choose to overwrite each file individually When prompted, choose Replace / Overwrite all files.

  • This ensures the old fileLoader logic is replaced with the secure version.

Step 3 — Restart the Web Server

After replacing the files, restart services:

  • Tomcat / IIS / Web Server (for MicroStrategy Web and MicroStrategy Library)

  • PDF Export Engine

This ensures the updated fileLoader code is picked up.

Step 4 Verification - How to Confirm Patch is Working

To verify that the SSRF protection is active, you can test the behavior of fileLoader.jsp (or fileLoader.aspx) directly using a harmless public URL such as https://vchost.vitaracharts.com/distributions/5.3.9.215/dropIn/sample.txt.

Test AFTER adding the Patch

Open the following URL in the browser:

For: MicroStrategy Web

https://<YourServer>:<port>/MicroStrategy/plugins/VitaraMaps/fileLoader.jsp?file=https://vchost.vitaracharts.com/distributions/5.3.9.215/dropIn/sample.txt

For: MicroStrategy Library

https://<YourServer>:<port>/MicroStrategy/plugins/VitaraMapsLibrary/fileLoader.jsp?file=https://vchost.vitaracharts.com/distributions/5.3.9.215/dropIn/sample.txt

Expected Result With Fix (Patch Working)

You should see a JSON response similar to:

null({status:400, msg:'host not allowed', data:'bnVsbA==', type:'null', ctx:'null'})

This means the patch is correctly blocking external URLs.

If instead the following result is seen then you’re still using the old file.

Result Without Fix:

null({status:200, msg:'success', data:'WW91IGhhdmUgbG9hZGVkIGFuIGV4dGVybmFsIHJlc291cmNlIGZyb20gVml0YXJh', type:'null', ctx:'null'})

PreviousUS Map using ZIP CodesNextIBCS USER GUIDE

Last updated

Was this helpful?