CVE-2025-52903
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-26

Last updated on: 2025-08-05

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-26
Last Modified
2025-08-05
Generated
2026-05-07
AI Q&A
2025-06-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52903
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser 2.32.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-52903 is a high-severity vulnerability in File Browser version 2.32.0 affecting its Command Execution feature. Although this feature restricts users to executing only predefined shell commands on a user-specific allowlist, many standard Linux commands allowed by this list can spawn arbitrary subcommands, effectively bypassing the restriction. For example, commands like 'find' can be exploited to run arbitrary commands, enabling full code execution with the server process's user ID for any user with Execute Commands permission. This means an attacker with such permissions can execute any code on the server, leading to a complete compromise. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability allows an attacker with Execute Commands permission to gain full code execution rights on the server running File Browser, using the server process's user ID. This can lead to unauthorized access, data manipulation, service disruption, and potentially full system compromise. The impact includes loss of confidentiality, integrity, and availability of the system and its data. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection can involve monitoring for execution of commands like `find`, `cpio`, `sed`, `git`, and `env` that are allowed by the File Browser's command allowlist but can be exploited to run arbitrary subcommands. A proof of concept involves using `find` with the `-exec` flag to perform unauthorized actions such as network calls. While no specific detection commands are provided, monitoring for unusual usage of these commands or unexpected network calls initiated by the File Browser process could indicate exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include completely disabling the Execute Commands feature for all accounts until a fix is available, as this feature is inherently dangerous and not required by all deployments. Additionally, applying process creation limits using the `prlimit` command with the `--nproc=0` option can prevent subcommand execution by causing commands like `find` to fail when attempting to fork new processes. Running File Browser from a distroless container image is recommended as a defense-in-depth measure. The patch released disables the Execute Commands feature by default and makes it opt-in, with warnings added to documentation and console output when enabled. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart