CVE-2025-66545
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66545
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
nextcloud group_folders to 14.0.11 (exc)
nextcloud group_folders From 15.0.0 (inc) to 15.3.12 (exc)
nextcloud group_folders From 16.0.0 (inc) to 16.0.15 (exc)
nextcloud group_folders From 17.0.0 (inc) to 17.0.14 (exc)
nextcloud group_folders From 18.0.0 (inc) to 18.1.8 (exc)
nextcloud group_folders From 19.0.0 (inc) to 20.1.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-707 The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Groupfolders allows a user with read-only permission to restore a file from the trash bin, which they should not be able to do. It affects versions prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, and has been fixed in these versions.

Impact Analysis

The vulnerability can impact you by allowing users with only read-only access to restore deleted files, potentially leading to unauthorized changes or data recovery actions that violate intended access controls. This could undermine data integrity and control within shared group folders.

Mitigation Strategies

To mitigate this vulnerability, update Nextcloud Groupfolders to one of the fixed versions: 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, or 20.1.2. This will prevent users with read-only permission from restoring files from the trash bin.

Compliance Impact

This vulnerability allows users with read-only permissions to restore deleted files, which compromises data integrity by enabling unauthorized file restoration. Such unauthorized access and modification of data could lead to violations of compliance requirements in standards like GDPR and HIPAA, which mandate strict access controls and data integrity protections. Therefore, if exploited, this vulnerability could negatively impact compliance with these regulations by allowing unauthorized data recovery and access control violations. [2, 3]

Detection Guidance

This vulnerability can be detected by testing whether a user with read-only permissions on a Nextcloud Groupfolders team folder is able to restore deleted files from the trash bin, which should not be allowed. A practical detection method involves reproducing the issue by: 1) Creating a group and assigning it to a team folder with all permissions enabled. 2) Setting the group's permissions to read-only (disabling editing). 3) Uploading and deleting a file in the team folder. 4) Logging in as a user in the read-only group and attempting to restore the deleted file from the trash bin. If the user can restore the file despite read-only permissions, the vulnerability is present. There are no specific network commands or automated detection scripts provided in the resources. Detection is primarily done through permission and functionality testing within the Nextcloud interface. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66545. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart