CVE-2025-52995: File Browser vulnerable to command execution allowlist bypass
(updated )
The Command Execution feature of Filebrowser only allows the execution of shell command which have been predefined on a user-specific allowlist. The implementation of this allowlist is erroneous, allowing a user to execute additional commands not permitted.
References
- github.com/advisories/GHSA-w7qc-6grj-w7r8
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108
- github.com/filebrowser/filebrowser/releases/tag/v2.33.10
- github.com/filebrowser/filebrowser/security/advisories/GHSA-w7qc-6grj-w7r8
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-05_Filebrowser_Bypass_Command_Execution_Allowlist
- nvd.nist.gov/vuln/detail/CVE-2025-52995
- pkg.go.dev/vuln/GO-2025-3795
Code Behaviors & Features
Detect and mitigate CVE-2025-52995 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →