File Browser has Insecure File Permissions
Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers using File Browser prior to version 2.33.7 where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account. Version 2.33.7 fixes the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filebrowser/filebrowser/v2Go | < 2.33.7 | 2.33.7 |
github.com/filebrowser/filebrowserGo | <= 1.11.0 | — |
Affected products
1- Range: < 2.33.7
Patches
1ca86f9162166Merge commit from fork
2 files changed · +4 −3
cmd/utils.go+2 −1 modified@@ -14,6 +14,7 @@ import ( "github.com/spf13/pflag" yaml "gopkg.in/yaml.v2" + "github.com/filebrowser/filebrowser/v2/files" "github.com/filebrowser/filebrowser/v2/settings" "github.com/filebrowser/filebrowser/v2/storage" "github.com/filebrowser/filebrowser/v2/storage/bolt" @@ -105,7 +106,7 @@ func python(fn pythonFunc, cfg pythonConfig) cobraFunc { log.Println("Using database: " + absPath) data.hadDB = exists - db, err := storm.Open(path) + db, err := storm.Open(path, storm.BoltOptions(files.PermFile, nil)) checkErr(err) defer db.Close() data.store, err = bolt.NewStorage(db)
files/file.go+2 −2 modified@@ -27,8 +27,8 @@ import ( "github.com/filebrowser/filebrowser/v2/rules" ) -const PermFile = 0644 -const PermDir = 0755 +const PermFile = 0640 +const PermDir = 0750 var ( reSubDirs = regexp.MustCompile("(?i)^sub(s|titles)$")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jj2r-455p-5gvfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-52900ghsaADVISORY
- github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76ghsax_refsource_MISCWEB
- github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvfghsax_refsource_CONFIRMWEB
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-03_Filebrowser_Insecure_File_PermissionsghsaWEB
- pkg.go.dev/vuln/GO-2025-3785ghsaWEB
News mentions
0No linked articles in our index yet.