CVE-2025-53826 — Authentication Bypass by Primary Weakness in Filebrowser Filebrowser

CWE-305 — Authentication Bypass by Primary Weakness CWE-385 — Covert Timing Channel CWE-613 — Insufficient Session Expiration CWE-384 — Session Fixation5 documents4 sources

Severity

7.7HIGHNVD

EPSS

0.3%

top 46.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Github.com Filebrowser Filebrowser Github.com Filebrowser Filebrowser V2 Filebrowser

Timeline

PublishedJul 15

Latest updateJul 28

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶Gogithub.com/filebrowser_filebrowser2.39.0

▶Gogithub.com/filebrowser_filebrowser_v22.39.0

▶CVEListV5filebrowser/filebrowser= 2.39.0

▶NVDfilebrowser/filebrowser2.39.0

🔴Vulnerability Details

OSV

File Browser’s insecure JWT handling can lead to session replay attacks after logout in github.com/filebrowser/filebrowser↗2025-07-28

▶

OSV

File Browser’s insecure JWT handling can lead to session replay attacks after logout↗2025-07-16

▶

GHSA

File Browser’s insecure JWT handling can lead to session replay attacks after logout↗2025-07-16

▶

CVEList

FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout↗2025-07-15

▶