CVE-2025-53826
Published: 15 July 2025
Summary
CVE-2025-53826 is a critical-severity Authentication Bypass by Primary Weakness (CWE-305) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires automatic termination of user sessions upon logout or defined events, directly preventing the continued validity and use of long-lived JWT tokens after logout.
Mandates procedures for managing and revoking authenticators, including JWT tokens, upon logout or compromise to block persistent unauthorized access.
Requires mechanisms to protect session authenticity, such as cryptographic protections or duration limits, mitigating the risks of long-lived tokens remaining valid post-logout.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct auth bypass via non-invalidated JWTs in public-facing web app enables exploitation for initial access and reuse of alternate web auth material.
NVD Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after…
more
the user logs out. As of time of publication, no known patches exist.
Deeper analysisAI
CVE-2025-53826 is a critical authentication vulnerability in File Browser version 2.39.0, an open-source web-based file manager that provides interfaces for uploading, deleting, previewing, renaming, and editing files within a specified directory. The flaw stems from the authentication system issuing long-lived JSON Web Tokens (JWTs) that remain valid even after a user explicitly logs out, mapped to CWEs-305, CWE-385, and CWE-613. Published on 2025-07-15, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any network-accessible attacker can exploit this vulnerability without authentication privileges or user interaction by obtaining a valid JWT token, such as through phishing, token leakage, or prior legitimate access. With the token, the attacker gains persistent unauthorized access to perform full file management operations—uploading malicious files, deleting data, previewing sensitive content, renaming, or editing files—within the configured directory, resulting in high impacts to confidentiality, integrity, and availability.
The GitHub security advisory GHSA-7xwp-2cpp-p8r7 and related issue #5216 confirm that, as of publication, no patches or mitigations are available for File Browser 2.39.0. Security practitioners should monitor for updates, restrict network exposure, implement strict token handling, and consider alternative file managers until remediation is released.
Details
- CWE(s)