CVE-2025-64523Improper Authorization in Filebrowser

CWE-285Improper AuthorizationCWE-639Authorization Bypass Through User-Controlled Key5 documents4 sources
Severity
7.2HIGHNVD
EPSS
0.1%
top 73.94%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
FilebrowserGithub.com Filebrowser Filebrowser V2
Timeline
PublishedNov 12
Latest updateNov 17

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt busines

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

CVEListV5filebrowser/filebrowser< 2.45.1

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function in github.com/filebrowser/filebrowser2025-11-17
GHSA
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function2025-11-13
OSV
File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function2025-11-13
CVEList
FileBrowser has Insecure Direct Object Reference (IDOR) in Share Deletion Function2025-11-12