CVE-2025-52997

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.

CVSS v3 5.9 MEDIUM

5.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/filebrowser/filebrowser/commit/bf37f88c32222ad9c186482bb97338a9c9b4a93c	Patch
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-cm2r-rg7r-p7gg	Exploit Vendor Advisory
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling

Configurations

Configuration 1 (hide)

cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*

History

04 Aug 2025, 18:15

Type	Values Removed	Values Added
References		() https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling -

10 Jul 2025, 13:48

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-30 20:15

Updated : 2025-08-04 18:15

NVD link : CVE-2025-52997

Mitre link : CVE-2025-52997

CVE.ORG link : CVE-2025-52997

JSON object : View

Products Affected

filebrowser

filebrowser

CWE

CWE-307

Improper Restriction of Excessive Authentication Attempts

CWE-521

Weak Password Requirements

CWE-1392

Use of Default Credentials

{"id": "CVE-2025-52997", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.2}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-06-30T20:15:25.847", "references": [{"url": "https://github.com/filebrowser/filebrowser/commit/bf37f88c32222ad9c186482bb97338a9c9b4a93c", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-cm2r-rg7r-p7gg", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-01_Filebrowser_Insecure_Password_Handling", "source": "security-advisories@github.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-307"}, {"lang": "en", "value": "CWE-521"}, {"lang": "en", "value": "CWE-1392"}]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure. Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1."}, {"lang": "es", "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio espec\u00edfico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. Antes de la versi\u00f3n 2.34.1, la falta de una pol\u00edtica de contrase\u00f1as y la protecci\u00f3n contra ataques de fuerza bruta hac\u00edan inseguro el proceso de autenticaci\u00f3n. Los atacantes pod\u00edan realizar un ataque de fuerza bruta para recuperar las contrase\u00f1as de todas las cuentas en una instancia dada. Este problema se ha corregido en la versi\u00f3n 2.34.1."}], "lastModified": "2025-08-04T18:15:35.313", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "722408D2-65E2-422E-8B39-30C43A569C5C", "versionEndExcluding": "2.34.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}