CVE-2025-13008
Session Token Disclosure in M-Files Server via Web Interface
Publication date: 2025-12-19
Last updated on: 2026-02-23
Assigner: M-Files Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| m-files | m-files_server | 25.12.15491.7 |
| m-files | m-files_server | 25.2 |
| m-files | m-files_server | 24.8 |
| m-files | m-files_server | 25.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update M-Files Server to version 25.12.15491.7 or later, or to the corresponding fixed versions 25.8 LTS SR3 (25.8.15085.18), 25.2 LTS SR3 (25.2.14524.14), or 24.8 LTS SR5 (24.8.13981.17). Ensure that only authenticated users have access to M-Files Web and monitor for unusual session token activity. Since the vulnerability requires authentication and active user sessions, restricting access and applying the patch are critical steps. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an authenticated attacker to capture session tokens of other active users, enabling impersonation and unauthorized access to user identities and permissions. This exposure of private personal information could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure. [1]
Can you explain this vulnerability to me?
CVE-2025-13008 is an information disclosure vulnerability in M-Files Server's web component that allows an authenticated attacker to capture session tokens of other active users. This means that if an attacker is logged in and the victim is actively using M-Files Web, the attacker can steal the victim's session token and impersonate them, gaining access to their permissions and actions within the system. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to impersonate other users by capturing their session tokens, potentially leading to unauthorized access to sensitive information, unauthorized actions performed under another user's identity, and overall compromise of confidentiality, integrity, and availability of the system. [1]