CVE-2025-52904

HIGH EPSS 54.7%
Published Jun 26, 20251y ago · Modified Jun 17, 20261w ago
8.0 CVSS 3.1
High
Find Similar
Published Jun 26, 2025 1y ago
Last Modified Jun 17, 2026 1w ago

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

CVSS Details

Base Score
8.0
Exploitability
1.3
Impact
6.0
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Changed
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
54.7% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-77 Command Injection Injection

Affected Products 1

VendorProductVersionRange
filebrowserfilebrowser2.32.0any

References 6

  • github.com https://github.com/GoogleContainerTools/distroless
    Product
  • github.com https://github.com/filebrowser/filebrowser/issues/5199
    Issue Tracking
  • github.com https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362
    ExploitMitigationVendor Advisory
  • github.com https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope
  • pkg.go.dev https://pkg.go.dev/vuln/GO-2025-3793
  • sloonz.github.io https://sloonz.github.io/posts/sandboxing-1
    Technical Description

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.