CVE-2025-52900: filebrowser Sets Insecure File Permissions
(updated )
The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account.
References
- github.com/advisories/GHSA-jj2r-455p-5gvf
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/ca86f916216620365c0f81629c0934ce02574d76
- github.com/filebrowser/filebrowser/security/advisories/GHSA-jj2r-455p-5gvf
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-03_Filebrowser_Insecure_File_Permissions
- nvd.nist.gov/vuln/detail/CVE-2025-52900
- pkg.go.dev/vuln/GO-2025-3785
Code Behaviors & Features
Detect and mitigate CVE-2025-52900 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →