CVE-2025-52995

Published: Jun 30, 2025Modified: Jul 10, 2025

6.6

Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 0.7 / Impact: 5.9

Source: NVD

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.

Affected (1)

Products: Filebrowser: Filebrowser

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Filebrowser Filebrowser	Up to 2.33.8

Related CWEs

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (3)

https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108

Source: security-advisories@github.com

Patch

https://github.com/filebrowser/filebrowser/releases/tag/v2.33.10

Source: security-advisories@github.com

Release Notes

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w7qc-6grj-w7r8

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.