CVE-2025-52904
Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable Execute commands for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/filebrowser/filebrowser/v2Go | < 2.33.8 | 2.33.8 |
Affected products
9cpe:2.3:a:filebrowser:filebrowser:2.32.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:a:filebrowser:filebrowser:2.32.0:*:*:*:*:*:*:*
- (no CPE)range: <= 2.35.0
- osv-coords7 versionspkg:apk/chainguard/filebrowserpkg:apk/chainguard/filebrowser-compatpkg:apk/wolfi/filebrowserpkg:apk/wolfi/filebrowser-compatpkg:golang/github.com/filebrowser/filebrowserpkg:golang/github.com/filebrowser/filebrowser/v2pkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Tumbleweed
< 2.36.0-r0+ 6 more
- (no CPE)range: < 2.36.0-r0
- (no CPE)range: < 2.36.0-r0
- (no CPE)range: < 2.36.0-r0
- (no CPE)range: < 2.36.0-r0
- (no CPE)range: <= 1.11.0
- (no CPE)range: <= 2.35.0
- (no CPE)range: < 0.0.20250730T213748-1.1
Patches
Vulnerability mechanics
References
7- github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362nvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-hc8f-m8g5-8362ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-52904ghsaADVISORY
- github.com/filebrowser/filebrowser/issues/5199nvdIssue TrackingWEB
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_ScopenvdWEB
- pkg.go.dev/vuln/GO-2025-3793nvdWEB
- sloonz.github.io/posts/sandboxing-1nvdTechnical DescriptionWEB
News mentions
0No linked articles in our index yet.