CVE-2025-52901Use of GET Request Method With Sensitive Query Strings in Filebrowser

CWE-598Use of GET Request Method With Sensitive Query Strings5 documents4 sources
Severity
6.5MEDIUMNVD
CNA4.5
EPSS
0.1%
top 68.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
FilebrowserGithub.com Filebrowser Filebrowser V2Github.com Filebrowser Filebrowser
Timeline
PublishedJun 30
Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been pa

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

CVEListV5filebrowser/filebrowser< 2.33.9

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser2025-07-28
CVEList
File Browser allows sensitive data to be transferred in URL2025-06-30
GHSA
File Browser allows sensitive data to be transferred in URL2025-06-30
OSV
File Browser allows sensitive data to be transferred in URL2025-06-30
CVE-2025-52901 — Filebrowser vulnerability | cvebase