CVE-2025-66549
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-09

Assigner: GitHub, Inc.

Description
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66549
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nextcloud desktop From 3.0.0 (inc) to 3.16.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-209 The product generates an error message that includes sensitive information about its environment, users, or associated data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Nextcloud Desktop versions prior to 3.16.5 occurs when a user tries to manually lock a file inside an end-to-end encrypted directory. The file path is sent to the server unencrypted, which means server administrators can see the file path in log files, potentially exposing sensitive information.

Impact Analysis

The vulnerability can impact you by exposing the paths of files stored in end-to-end encrypted directories to server administrators. This exposure could lead to privacy concerns or information leakage, as sensitive file paths might be visible in server logs even though the file contents are encrypted.

Mitigation Strategies

Upgrade the Nextcloud Desktop sync client to version 3.16.5 or later, as this version fixes the vulnerability where file paths inside end-to-end encrypted directories were sent unencrypted to the server.

Compliance Impact

This vulnerability causes the file path of files inside end-to-end encrypted directories to be sent unencrypted to the server, allowing server administrators to see these paths in log files. This exposure of file path information could potentially lead to confidentiality issues, which may impact compliance with data protection regulations such as GDPR or HIPAA that require protection of sensitive information. However, the vulnerability does not affect data integrity or availability, and the impact is limited to information disclosure of file paths only. Upgrading to Nextcloud Desktop client version 3.16.5 mitigates this risk. [3]

Detection Guidance

This vulnerability involves the transmission of unencrypted file paths to the server when manually locking files inside end-to-end encrypted directories using Nextcloud Desktop versions prior to 3.16.5. To detect this on your network, you can monitor network traffic for WebDAV LOCK requests containing cleartext file paths related to end-to-end encrypted directories. Using network packet capture tools like Wireshark or tcpdump, filter for WebDAV LOCK methods and inspect the paths sent. For example, you can use the following tcpdump command to capture WebDAV traffic: tcpdump -i <interface> -s 0 -w capture.pcap 'tcp port 80 or tcp port 443' and then analyze the capture for LOCK requests with unencrypted paths. Additionally, reviewing server log files for cleartext file paths in lock operations can help identify the vulnerability. Note that no specific commands are provided in the resources, but monitoring WebDAV LOCK requests for unencrypted paths is the key detection method. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart