{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-52903", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-20T17:42:25.712Z", "datePublished": "2025-06-26T18:16:32.203Z", "dateUpdated": "2025-06-30T12:54:57.857Z"}, "containers": {"cna": {"title": "File Browser Allows Execution of Shell Commands That Can Spawn Other Commands", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4"}, {"name": "https://github.com/filebrowser/filebrowser/issues/5199", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/issues/5199"}, {"name": "https://github.com/GoogleContainerTools/distroless", "tags": ["x_refsource_MISC"], "url": "https://github.com/GoogleContainerTools/distroless"}, {"name": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html", "tags": ["x_refsource_MISC"], "url": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "< 2.33.10", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-30T12:54:57.857Z"}, "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199."}], "source": {"advisory": "GHSA-3q2w-42mv-cph4", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-26T19:32:24.201070Z", "id": "CVE-2025-52903", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T19:32:27.851Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-52903", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-26T19:32:24.201070Z"}}}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-26T19:32:19.418Z"}}], "cna": {"title": "File Browser Allows Execution of Shell Commands That Can Spawn Other Commands", "source": {"advisory": "GHSA-3q2w-42mv-cph4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "< 2.33.10"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/issues/5199", "name": "https://github.com/filebrowser/filebrowser/issues/5199", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/GoogleContainerTools/distroless", "name": "https://github.com/GoogleContainerTools/distroless", "tags": ["x_refsource_MISC"]}, {"url": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html", "name": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-30T12:54:57.857Z"}}}, "cveMetadata": {"cveId": "CVE-2025-52903", "state": "PUBLISHED", "dateUpdated": "2025-06-30T12:54:57.857Z", "dateReserved": "2025-06-20T17:42:25.712Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-26T18:16:32.203Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In version 2.32.0, the Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image. A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. The fix is tracked on pull request 5199."}, {"lang": "es", "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio espec\u00edfico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. En la versi\u00f3n 2.32.0, la funci\u00f3n de Ejecuci\u00f3n de Comandos del Explorador de Archivos solo permite la ejecuci\u00f3n de comandos de shell predefinidos en una lista de permitidos espec\u00edfica del usuario. Muchas herramientas permiten la ejecuci\u00f3n de comandos arbitrarios, lo que invalida esta limitaci\u00f3n. El impacto concreto depende de los comandos otorgados al atacante, pero la gran cantidad de comandos est\u00e1ndar que permiten la ejecuci\u00f3n de subcomandos hace probable que cualquier usuario con permisos de \"Ejecutar comandos\" pueda explotar esta vulnerabilidad. Cualquiera que pueda explotarla tendr\u00e1 plenos derechos de ejecuci\u00f3n de c\u00f3digo con el uid del proceso del servidor. Hasta que se solucione este problema, los mantenedores recomiendan deshabilitar completamente la funci\u00f3n de \"Ejecutar comandos\" para todas las cuentas. Dado que la ejecuci\u00f3n de comandos es una funci\u00f3n inherentemente peligrosa que no se utiliza en todas las implementaciones, deber\u00eda ser posible deshabilitarla por completo en la configuraci\u00f3n de la aplicaci\u00f3n. Como medida de defensa a fondo, las organizaciones que no requieran la ejecuci\u00f3n de comandos deber\u00edan operar el Explorador de archivos desde una imagen de contenedor sin distribuci\u00f3n. Se ha publicado una versi\u00f3n de parche para deshabilitar la funci\u00f3n en todas las instalaciones existentes y habilitarla. Se ha a\u00f1adido una advertencia a la documentaci\u00f3n, que se muestra en la consola si la funci\u00f3n est\u00e1 habilitada. Debido a que el proyecto se encuentra en modo de mantenimiento, el error no se ha corregido. La correcci\u00f3n se encuentra en la solicitud de incorporaci\u00f3n de cambios 5199."}], "id": "CVE-2025-52903", "lastModified": "2025-06-30T18:39:09.973", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 6.0, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-06-26T19:15:21.587", "references": [{"source": "[email protected]", "url": "https://github.com/GoogleContainerTools/distroless"}, {"source": "[email protected]", "url": "https://github.com/filebrowser/filebrowser/issues/5199"}, {"source": "[email protected]", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4"}, {"source": "[email protected]", "url": "https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "[email protected]", "type": "Secondary"}]}

{}