CVE-2025-52903
published 2025-06-26CVE-2025-52903: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions…
PriorityP349high8CVSS 3.1
AVNACHPRHUINSCCHIHAH
EPSS
0.96%
57.0th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Version 2.33.10 contains a check for whether a command is allowed when using shell.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | — | — |
| filebrowser | filebrowser | — | — |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.33.10 | 2.33.10 |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.33.8 | 2.33.8 |
CVSS provenance
nvdv3.18.0HIGHCVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
ghsa8.0HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
ghsa·2026-06-12·CVSS 8.0
CVE-2026-54090 [HIGH] CWE-77 File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
File Browser has a Command Execution Allowlist Bypass via Shell Metacharacter Injection
> [!NOTE]
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed.
>
> For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.
## Summary
When a shell interpreter is configured (e.g. `/bin/sh -c`), the command allowlist can be bypassed through shell metacharacters. The allowl
OSV
filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52903 filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser
filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser
filebrowser Allows Shell Commands to Spawn Other Commands in github.com/filebrowser/filebrowser
OSV
filebrowser Allows Shell Commands to Spawn Other Commands
osv·2025-06-27
CVE-2025-52903 [HIGH] filebrowser Allows Shell Commands to Spawn Other Commands
filebrowser Allows Shell Commands to Spawn Other Commands
## Summary ##
The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.
## Impact ##
The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the *uid* of the server process.
## Vulnerability Description ##
Many Linux commands allow the execution of arbitrary different comman
GHSA
filebrowser Allows Shell Commands to Spawn Other Commands
ghsa·2025-06-27
CVE-2025-52903 [HIGH] CWE-183 filebrowser Allows Shell Commands to Spawn Other Commands
filebrowser Allows Shell Commands to Spawn Other Commands
## Summary ##
The *Command Execution* feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.
## Impact ##
The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the *uid* of the server process.
## Vulnerability Description ##
Many Linux commands allow the execution of arbitrary different comman
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/GoogleContainerTools/distrolesshttps://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108https://github.com/filebrowser/filebrowser/issues/5199https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commandshttps://manpages.debian.org/bookworm/util-linux/prlimit.1.en.htmlhttps://pkg.go.dev/vuln/GO-2025-3786https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4
2025-06-26
Published