CVE-2025-52901: File Browser allows sensitive data to be transferred in URL
(updated )
URLs that are accessed by a user are commonly logged in many locations, both server- and client-side. It is thus good practice to never transmit any secret information as part of a URL. The Filebrowser violates this practice, since access tokens are used as GET parameters.
References
- github.com/advisories/GHSA-rmwh-g367-mj4x
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2
- github.com/filebrowser/filebrowser/releases/tag/v2.33.9
- github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4x
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-03_Filebrowser_Sensitive_Data_Transferred_In_URL
- nvd.nist.gov/vuln/detail/CVE-2025-52901
- pkg.go.dev/vuln/GO-2025-3794
Code Behaviors & Features
Detect and mitigate CVE-2025-52901 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →