Unrated severityNVD Advisory· Published May 16, 2025· Updated May 16, 2025

Nextcloud Server's test remote endpoint is not rate limited

CVE-2025-47791

Description

Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available.

Affected products

Nextcloud/Serverllm-fuzzy
Range: < 28.0.13, 29.0.10, 30.0.3
Nextcloud/Nextcloud Enterprise Serverllm-fuzzy
Range: < 28.0.13, 29.0.10, 30.0.3
nextcloud/security-advisoriesv5
Range: >= 28.0.0, < 28.0.13

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/nextcloud/security-advisories/security/advisories/GHSA-c7vq-m7f8-rx37mitrex_refsource_CONFIRM
github.com/nextcloud/server/pull/49558mitrex_refsource_MISC

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000