Cyber Resilience

CVE-2025-52903

HighPublic PoCRCEUpdated

Published: 26 June 2025

Published
26 June 2025
Modified
09 June 2026
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0066 71.4th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52903 is a high-severity Command Injection (CWE-77) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

File Browser versions on the 2.x branch prior to 2.33.10 contain a command execution flaw tracked as CVE-2025-52903. The application restricts the Command Execution feature to an allowlist of predefined shell commands per user, yet many standard utilities can themselves invoke arbitrary subcommands. This bypass is classified under CWE-77 and carries a CVSS 3.1 score of 8.0.

An authenticated user granted the Execute commands permission can therefore run additional commands beyond the intended allowlist. Successful exploitation yields full code execution under the UID of the File Browser server process, with the precise impact determined by the specific commands the attacker is permitted to invoke.

The project addressed the issue in version 2.33.10 by adding an explicit check that validates commands when shell execution is requested. The accompanying GitHub Security Advisory GHSA-3q2w-42mv-cph4 and the referenced commit 4d830f707fc4314741fd431e70c2ce50cd5a3108 document the fix and the original bypass vectors reported in issue 5199.

EPSS for the CVE rose from a starting value of 0.0066 to a peak of 0.0133, indicating measurable post-disclosure interest.

EU & UK References

Vulnerability details

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions on the 2.x branch prior to 2.33.10, the Command Execution feature of File Browser…

more

only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void. The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the `Execute commands` permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process. Version 2.33.10 contains a check for whether a command is allowed when using shell.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

filebrowser
filebrowser
2.32.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References