CVE-2025-52901
published 2025-06-30CVE-2025-52901: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.49%
38.4th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.33.9 | 2.33.9 |
| filebrowser | filebrowser | <= 2.33.0 | — |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.33.9 | 2.33.9 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52901 File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser
File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser
File Browser allows sensitive data to be transferred in URL in github.com/filebrowser/filebrowser
GHSA
File Browser allows sensitive data to be transferred in URL
ghsa·2025-06-30
CVE-2025-52901 [MEDIUM] CWE-598 File Browser allows sensitive data to be transferred in URL
File Browser allows sensitive data to be transferred in URL
## Summary
URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters.
## Impact
The *JSON Web Token (JWT)* which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give the attacker full access to the user's account and, in consequence, to all sensitive files the user has access to.
## Description
Sensitive information in URLs is logged by several components (see the following examples), even if access is protected by TLS.
* The browser history
*
OSV
File Browser allows sensitive data to be transferred in URL
osv·2025-06-30
CVE-2025-52901 [MEDIUM] File Browser allows sensitive data to be transferred in URL
File Browser allows sensitive data to be transferred in URL
## Summary
URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The *Filebrowser* violates this practice, since access tokens are used as GET parameters.
## Impact
The *JSON Web Token (JWT)* which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give the attacker full access to the user's account and, in consequence, to all sensitive files the user has access to.
## Description
Sensitive information in URLs is logged by several components (see the following examples), even if access is protected by TLS.
* The browser history
*
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2https://github.com/filebrowser/filebrowser/releases/tag/v2.33.9https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4xhttps://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-03_Filebrowser_Sensitive_Data_Transferred_In_URL
2025-06-30
Published