SB2025070363 - Multiple vulnerabilities in FileBrowser
Published: July 3, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) Command Injection (CVE-ID: CVE-2025-52903)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient input validation. A remote administrator can pass specially crafted data to the application and execute arbitrary commands.
2) Authentication Bypass by Primary Weakness (CVE-ID: CVE-2025-52996)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to the bypass of password protection of links. A remote attacker can gain access to the unprotected link and download sensitive file.
3) Command Injection (CVE-ID: CVE-2025-52904)
The vulnerability allows a remote user to execute arbitrary commands on the system.
The vulnerability exists due to insufficient input validation in the Command Execution feature. A remote administrator can pass specially crafted data to the application and execute arbitrary commands.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.
References
- https://github.com/filebrowser/filebrowser/issues/5199
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4
- https://github.com/GoogleContainerTools/distroless
- https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html
- https://github.com/filebrowser/filebrowser/issues/5239
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362
- https://sloonz.github.io/posts/sandboxing-1