CVE-2025-62509
BaseFortify
Publication date: 2025-10-20
Last updated on: 2025-12-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| filerise | filerise | to 1.4.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in FileRise (versions ≤ 1.3.15) is a business logic flaw where low-privilege users can perform unauthorized operations such as viewing, deleting, or modifying files owned by other users. The root cause is that the system inferred file ownership and visibility based on folder names (e.g., folders named after usernames) without proper server-side authorization checks. This allowed attackers to exploit predictable folder names to access or manipulate files they shouldn't have access to, constituting an Insecure Direct Object Reference (IDOR) vulnerability. [3]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access and modification of files belonging to other users, compromising the confidentiality and integrity of data. Low-privilege users could view, delete, or modify files they do not own, potentially leading to data breaches, loss of important files, and unauthorized data manipulation within the FileRise system. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with standards such as GDPR and HIPAA because it allows unauthorized access and modification of sensitive user data, violating principles of data confidentiality and integrity required by these regulations. Unauthorized data exposure or alteration could lead to regulatory non-compliance, legal penalties, and loss of trust. [3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting non-admin users to read-only access or disabling delete and rename APIs server-side, avoiding the creation of top-level folders named after other usernames, and adding server-side checks that verify ownership before allowing delete, rename, or move operations. Upgrading to FileRise version 1.4.0 or later is recommended, with version 1.5.0 providing further hardened access control via explicit per-folder ACLs. [3]