CVE-2025-52904
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-26

Last updated on: 2025-08-05

Assigner: GitHub, Inc.

Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0 of the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on pull request 5199.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-26
Last Modified
2025-08-05
Generated
2026-05-07
AI Q&A
2025-06-26
EPSS Evaluated
2026-05-05
NVD
CVE-2025-52904
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
filebrowser filebrowser 2.32.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-52904 is a high-severity vulnerability in the Filebrowser web application version 2.32.0 related to its Command Execution feature. Although Filebrowser restricts users to access files only within their assigned scope, the Command Execution feature allows execution of shell commands without enforcing these scope restrictions. This means an attacker with permission to execute commands can run shell commands as the server process user, potentially gaining read and write access to all files managed by the server, including those outside their scope. This can lead to unauthorized access to sensitive data, modification of files, and even impersonation of other users by altering password hashes in the Filebrowser database. The vulnerability arises because shell commands are executed as subprocesses without proper sandboxing or scope enforcement. The maintainers recommend disabling the Execute Commands feature until a fix is available. [1]


How can this vulnerability impact me? :

This vulnerability can have severe impacts including unauthorized full read and write access to all files managed by the Filebrowser server, even those outside the attacker's assigned scope. An attacker can extract sensitive information such as password hashes from the Filebrowser database and perform offline attacks to crack passwords. They can also modify the database to impersonate other users, including administrators, potentially gaining full control over the application. This compromises confidentiality, integrity, and availability of the system and data. Because the commands run with the server's user privileges, the attacker can manipulate files and data extensively, leading to significant security breaches. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves checking if the Filebrowser instance is running version 2.32.0 with the Execute Commands feature enabled. Since the vulnerability allows execution of shell commands without scope restrictions, one can attempt to verify if command execution is enabled by accessing the Filebrowser interface or reviewing its configuration. A practical detection method is to try executing shell commands via the Filebrowser interface if permitted, for example using commands like `grep` to read sensitive files as demonstrated in the proof of concept. However, no specific detection commands are provided in the resources. Monitoring for unusual command execution or access patterns in Filebrowser logs may also help detect exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include completely disabling the Execute Commands feature for all accounts in Filebrowser until a fix is available, as this feature is inherently dangerous and not required for all deployments. Additionally, running Filebrowser inside a distroless container image is recommended as a defense-in-depth measure to reduce the attack surface. The patch released on 2025-06-25 disables the Execute Commands feature by default and makes it opt-in, so updating to this patched version and ensuring the feature remains disabled is advised. Further mitigations include sandboxing the Filebrowser process using user namespaces and tools like Bubblewrap to isolate command execution, or re-architecting command execution to run under user-specific UIDs corresponding to their scopes, though these are longer-term solutions. [1, 2, 3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart