CVE-2025-53826
BaseFortify
Publication date: 2025-07-15
Last updated on: 2025-08-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filebrowser | filebrowser | 2.39.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-385 | Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information. |
| CWE-613 | According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization." |
| CWE-305 | The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in File Browser version 2.39.0 involves its authentication system issuing long-lived JWT tokens that remain valid even after the user logs out. This means that tokens can be used to access the system without re-authentication, potentially allowing unauthorized access.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to the file management interface because JWT tokens remain valid after logout. This could allow attackers or unauthorized users to upload, delete, preview, rename, or edit files within the specified directory, potentially compromising data integrity and confidentiality.
What immediate steps should I take to mitigate this vulnerability?
Since no known patches exist for this vulnerability, immediate mitigation steps include avoiding use of the affected version 2.39.0 of File Browser, restricting access to the File Browser interface to trusted users only, and monitoring for suspicious activity related to JWT tokens that remain valid after logout. Consider implementing additional access controls or network segmentation to limit exposure.