CVE-2025-66552
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-05

Last updated on: 2025-12-10

Assigner: GitHub, Inc.

Description
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1, incorrect path handling with groupfolders caused the admin_audit app to not properly log all actions on files and folders inside groupfolders. This vulnerability is fixed in Nextcloud Server and Enterprise Server prior to 30.0.9 and 31.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-05
Last Modified
2025-12-10
Generated
2026-06-16
AI Q&A
2025-12-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66552
EUVD
EUVD-2025-201446
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.9 (exc)
nextcloud nextcloud_server From 30.0.0 (inc) to 30.0.9 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.1 (exc)
nextcloud nextcloud_server From 31.0.0 (inc) to 31.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-778 When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability causes the admin_audit app in Nextcloud Server to not properly log all actions on files and folders inside groupfolders, resulting in insufficient logging of security-critical events. Insufficient logging can hinder accurate auditing and tracking of file access or modifications, which may impact compliance with standards and regulations like GDPR and HIPAA that require thorough audit trails and accountability for data access. Therefore, this vulnerability could negatively affect compliance by compromising the integrity and completeness of audit logs. The recommended mitigation is to upgrade to fixed versions where the issue is resolved, restoring proper audit logging. [1, 2]

Executive Summary

This vulnerability in Nextcloud Server and Enterprise Server prior to versions 30.0.9 and 31.0.1 is due to incorrect path handling with groupfolders. It causes the admin_audit app to fail to properly log all actions performed on files and folders inside groupfolders.

Impact Analysis

Because the admin_audit app does not properly log all actions on files and folders inside groupfolders, administrators may not have a complete audit trail of user activities. This can hinder the ability to detect unauthorized or malicious actions, potentially impacting security monitoring and incident response.

Mitigation Strategies

To mitigate this vulnerability, update Nextcloud Server and Enterprise Server to versions 30.0.9 or later, or 31.0.1 or later, where the incorrect path handling with groupfolders and admin_audit logging issue is fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart