CVE-2025-52900

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76	Patch
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

History

10 Jul 2025, 01:17

Type	Values Removed	Values Added
References	~~() https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76 -~~	() https://github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76 - Patch
References	~~() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf -~~	() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf - Exploit, Vendor Advisory
First Time		Filebrowser filebrowser Filebrowser
Summary		(es) File Browser proporciona una interfaz de gestión de archivos dentro de un directorio específico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. La aplicación nunca configura explícitamente los permisos de acceso a los archivos cargados o creados desde el Explorador de Archivos. Lo mismo ocurre con la base de datos que utiliza. En servidores estándar que utilizan el Explorador de Archivos antes de la versión 2.33.7, donde la configuración de umask no se ha reforzado previamente, esto permite que todos los archivos indicados sean legibles por cualquier cuenta del sistema operativo. La versión 2.33.7 soluciona el problema.
CPE		cpe:2.3:a:filebrowser:filebrowser::::::::

26 Jun 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-26 15:15

Updated : 2025-07-10 01:17

NVD link : CVE-2025-52900

Mitre link : CVE-2025-52900

CVE.ORG link : CVE-2025-52900

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-276

Incorrect Default Permissions

5.5 /10