CVE-2025-52904
Published: 26 June 2025
Summary
CVE-2025-52904 is a high-severity Command Injection (CWE-77) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 31.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
File Browser is a web application that provides a file management interface for a specified directory, supporting operations such as upload, delete, preview, rename, and edit. In the 2.x branch, every user is assigned a scope that should limit access to files within that directory. The Command Execution feature, however, permits execution of arbitrary shell commands without enforcing the assigned scope, allowing bypass of these restrictions and resulting in read and write access to all files managed by the server. The issue is tracked as CWE-77 and carries a CVSS 3.1 score of 8.0.
An attacker can exploit the flaw only after an instance administrator explicitly enables the Command Execution feature despite built-in warnings. Once enabled, any authenticated user can run unrestricted shell commands, achieving full access to the server's file system regardless of their configured scope. The vulnerability therefore requires administrative misconfiguration rather than remote unauthenticated access.
Advisories and the project repository state that the Execute commands feature should be disabled for all accounts until a fix is applied. The maintainers have disabled the feature by default in version 2.33.8 for both new and existing installations, and they recommend complete deactivation in earlier 2.x releases. The referenced security advisory and Go vulnerability database entry document this configuration change as the primary mitigation.
EPSS for the CVE rose from a low baseline to a recorded peak of 0.0115, indicating emerging exploitation interest after disclosure. No confirmed real-world exploitation campaigns are noted in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19557
Vulnerability details
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions of the web application on the 2.x branch, all users have a scope assigned,…
more
and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server. Until this issue is fixed, the maintainers recommend to completely disable `Execute commands` for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration. This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.