CVE-2025-52904: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In ...

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

Metrics

CVSS 3.1

8/10

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Probability

0.89%

54.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-77

Affected Software

Vendor	Product	Versions
Filebrowser	Filebrowser	2.32.0

References

https://github.com/GoogleContainerTools/distrolessProduct
https://github.com/filebrowser/filebrowser/issues/5199Issue Tracking
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362Exploit, Mitigation, Vendor Advisory
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope
https://pkg.go.dev/vuln/GO-2025-3793
https://sloonz.github.io/posts/sandboxing-1Technical Description
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362Exploit, Mitigation, Vendor Advisory

Timeline

Published: Jun 26, 2025
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2025-52904?

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.

How severe is CVE-2025-52904?

CVE-2025-52904 has a CVSS score of 8/10 (HIGH severity). The EPSS model estimates a 0.89% probability of exploitation in the next 30 days.

How do I fix CVE-2025-52904?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.