CVE-2025-52904
published 2025-06-26CVE-2025-52904: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions…
PriorityP348high8CVSS 3.1
AVNACHPRHUINSCCHIHAH
EPSS
0.89%
54.7th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | — | — |
| filebrowser | filebrowser | — | — |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | 0 – 2.35.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52904 File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser
File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser
File Browser: Command Execution not Limited to Scope in github.com/filebrowser/filebrowser
GHSA
File Browser: Command Execution not Limited to Scope
ghsa·2025-06-30
CVE-2025-52904 [HIGH] CWE-77 File Browser: Command Execution not Limited to Scope
File Browser: Command Execution not Limited to Scope
## Summary ##
In the web application, all users have a *scope* assigned, and they only have access to the files within that *scope*.
The *Command Execution* feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server.
## Impact ##
Shell commands are executed with the *uid* of the server process without any further restrictions.
This means, that they will have access to at least
* all files managed by the application from all *scopes*, even those the user does not have access to in the GUI.
* the Filebrowser database file containing the password hashes of all accounts.
The concrete impact depends on the co
OSV
File Browser: Command Execution not Limited to Scope
osv·2025-06-30
CVE-2025-52904 [HIGH] File Browser: Command Execution not Limited to Scope
File Browser: Command Execution not Limited to Scope
## Summary ##
In the web application, all users have a *scope* assigned, and they only have access to the files within that *scope*.
The *Command Execution* feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server.
## Impact ##
Shell commands are executed with the *uid* of the server process without any further restrictions.
This means, that they will have access to at least
* all files managed by the application from all *scopes*, even those the user does not have access to in the GUI.
* the Filebrowser database file containing the password hashes of all accounts.
The concrete impact depends on the co
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/GoogleContainerTools/distrolesshttps://github.com/filebrowser/filebrowser/issues/5199https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scopehttps://pkg.go.dev/vuln/GO-2025-3793https://sloonz.github.io/posts/sandboxing-1https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362
2025-06-26
Published