CVE-2025-64011

CWE-639 — Insecure Direct Object Reference3 documents3 sources

Severity

4.3MEDIUM

EPSS

0.0%

top 89.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Nextcloud Server

Timeline

PublishedDec 12

Description

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDnextcloud/nextcloud_server30.0.0

🔴Vulnerability Details

CVEList

CVE-2025-64011: Nextcloud Server 30↗2025-12-12

▶

GHSA

GHSA-h6j9-6xjq-44c4: Nextcloud Server 30↗2025-12-12

▶