CVE-2025-52903

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Version 2.33.10 contains a check for whether a command is allowed when using shell.

CVSS v3 8.0 HIGH

8.0^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/GoogleContainerTools/distroless	Product
https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108
https://github.com/filebrowser/filebrowser/issues/5199	Issue Tracking
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4	Exploit Mitigation Vendor Advisory
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands
https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html	Technical Description
https://pkg.go.dev/vuln/GO-2025-3786
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:2.32.0:*:*:*:*:*:*:*

History

09 Jun 2026, 13:16

Type	Values Removed	Values Added
Summary	(en) File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199.	(en) File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Version 2.33.10 contains a check for whether a command is allowed when using shell.
References		() https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108 - () https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands - () https://pkg.go.dev/vuln/GO-2025-3786 -
References	~~() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 - Exploit, Vendor Advisory, Mitigation~~	() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 - Exploit, Mitigation, Vendor Advisory

05 Aug 2025, 18:23

Type	Values Removed	Values Added
CPE		cpe:2.3:a:filebrowser:filebrowser:2.32.0:::::::*
First Time		Filebrowser filebrowser Filebrowser
References	~~() https://github.com/GoogleContainerTools/distroless -~~	() https://github.com/GoogleContainerTools/distroless - Product
References	~~() https://github.com/filebrowser/filebrowser/issues/5199 -~~	() https://github.com/filebrowser/filebrowser/issues/5199 - Issue Tracking
References	~~() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 -~~	() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 - Exploit, Vendor Advisory, Mitigation
References	~~() https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html -~~	() https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html - Technical Description

30 Jun 2025, 18:39

Type	Values Removed	Values Added
Summary		(es) File Browser proporciona una interfaz de gestión de archivos dentro de un directorio específico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. En la versión 2.32.0, la función de Ejecución de Comandos del Explorador de Archivos solo permite la ejecución de comandos de shell predefinidos en una lista de permitidos específica del usuario. Muchas herramientas permiten la ejecución de comandos arbitrarios, lo que invalida esta limitación. El impacto concreto depende de los comandos otorgados al atacante, pero la gran cantidad de comandos estándar que permiten la ejecución de subcomandos hace probable que cualquier usuario con permisos de "Ejecutar comandos" pueda explotar esta vulnerabilidad. Cualquiera que pueda explotarla tendrá plenos derechos de ejecución de código con el uid del proceso del servidor. Hasta que se solucione este problema, los mantenedores recomiendan deshabilitar completamente la función de "Ejecutar comandos" para todas las cuentas. Dado que la ejecución de comandos es una función inherentemente peligrosa que no se utiliza en todas las implementaciones, debería ser posible deshabilitarla por completo en la configuración de la aplicación. Como medida de defensa a fondo, las organizaciones que no requieran la ejecución de comandos deberían operar el Explorador de archivos desde una imagen de contenedor sin distribución. Se ha publicado una versión de parche para deshabilitar la función en todas las instalaciones existentes y habilitarla. Se ha añadido una advertencia a la documentación, que se muestra en la consola si la función está habilitada. Debido a que el proyecto se encuentra en modo de mantenimiento, el error no se ha corregido. La corrección se encuentra en la solicitud de incorporación de cambios 5199.

26 Jun 2025, 20:15

Type	Values Removed	Values Added
References	~~() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 -~~	() https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 -

26 Jun 2025, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-26 19:15

Updated : 2026-06-09 13:16

NVD link : CVE-2025-52903

Mitre link : CVE-2025-52903

CVE.ORG link : CVE-2025-52903

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

8.0 /10