CVE-2025-52901
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-30

Last updated on: 2025-08-04

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-30
Last Modified
2025-08-04
Generated
2026-05-07
AI Q&A
2025-06-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52901
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser to 2.33.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-598 The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-52901 is a vulnerability in the File Browser project where JSON Web Tokens (JWTs), used as session identifiers, were included as GET parameters in URLs. This means the authentication token was exposed in the URL query string, which can be logged in browser history, web server logs, proxy servers, and other intermediaries. As a result, anyone with access to these logs could obtain the JWT and gain full access to the user's account and all sensitive files accessible to that user. The vulnerability was fixed by removing the token from the URL and not including it in the WebSocket connection URL. [3, 1]


How can this vulnerability impact me? :

This vulnerability can lead to an attacker obtaining a user's JWT authentication token by accessing URLs containing the token in logs or browser history. With this token, the attacker can fully access the user's account and all sensitive files the user has access to, potentially leading to unauthorized data exposure or data theft. [3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring network traffic or logs for URLs containing JWT tokens as GET parameters, specifically looking for URLs with query strings like '?auth=<JWT>'. For example, you can use network packet capture tools such as tcpdump or Wireshark to filter HTTP requests containing 'auth=' in the URL. A sample tcpdump command to detect such URLs might be: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep 'auth='. Additionally, inspecting web server access logs or proxy logs for entries containing 'auth=' in the query string can help identify vulnerable requests. [3]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade File Browser to version 2.33.9 or later, where the vulnerability has been fixed by removing the JWT authentication token from URLs and instead handling authentication tokens securely. Additionally, avoid transmitting sensitive tokens in URL query parameters and ensure tokens are sent only via HTTP headers or request bodies. If upgrading immediately is not possible, restrict access to logs and network captures that might contain leaked tokens and monitor for suspicious activity. [1, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart