CVE-2025-52904: File Browser: Command Execution not Limited to Scope
(updated )
In the web application, all users have a scope assigned, and they only have access to the files within that scope. The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server.
References
- github.com/GoogleContainerTools/distroless
- github.com/advisories/GHSA-hc8f-m8g5-8362
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/issues/5199
- github.com/filebrowser/filebrowser/security/advisories/GHSA-hc8f-m8g5-8362
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-01_Filebrowser_Command_Execution_Not_Limited_To_Scope
- nvd.nist.gov/vuln/detail/CVE-2025-52904
- pkg.go.dev/vuln/GO-2025-3793
- sloonz.github.io/posts/sandboxing-1
Code Behaviors & Features
Detect and mitigate CVE-2025-52904 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →