CVE-2025-52997
published 2025-06-30CVE-2025-52997: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to…
PriorityP348high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.47%
37.3th percentile
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| filebrowser | filebrowser | < 2.34.1 | 2.34.1 |
| github.com | filebrowser_filebrowser | 0 – 1.11.0 | — |
| github.com | filebrowser_filebrowser_v2 | >= 0 < 2.34.1 | 2.34.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
osv·2025-07-28
CVE-2025-52997 File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
File Browser vulnerable to insecure password handling in github.com/filebrowser/filebrowser
OSV
File Browser vulnerable to insecure password handling
osv·2025-06-30
CVE-2025-52997 [MEDIUM] File Browser vulnerable to insecure password handling
File Browser vulnerable to insecure password handling
## Summary ##
All user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process.
## Impact ##
Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the application is lacking the ability to prevent users from choosing a weak password, the attack is likely to succeed.
## Vulnerability Description ##
The application implement a classical authentication scheme using a username and password combination. While employed by many systems, this scheme is quite error-prone and a common cause for vulnerabilities. File Browser's implementation h
GHSA
File Browser vulnerable to insecure password handling
ghsa·2025-06-30
CVE-2025-52997 [MEDIUM] CWE-1392 File Browser vulnerable to insecure password handling
File Browser vulnerable to insecure password handling
## Summary ##
All user accounts authenticate towards a *File Browser* instance with a password. A missing password policy and brute-force protection makes it impossible for administrators to properly secure the authentication process.
## Impact ##
Attackers can mount a brute-force attack against the passwords of all accounts of an instance. Since the application is lacking the ability to prevent users from choosing a weak password, the attack is likely to succeed.
## Vulnerability Description ##
The application implement a classical authentication scheme using a username and password combination. While employed by many systems, this scheme is quite error-prone and a common cause for vulnerabilities. File Browser's implementation h
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-30
Published