CVE-2025-52903: filebrowser Allows Shell Commands to Spawn Other Commands
(updated )
The Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.
References
- github.com/advisories/GHSA-3q2w-42mv-cph4
- github.com/filebrowser/filebrowser
- github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108
- github.com/filebrowser/filebrowser/issues/5199
- github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4
- github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250326-02_Filebrowser_Shell_Commands_Can_Spawn_Other_Commands
- nvd.nist.gov/vuln/detail/CVE-2025-52903
- pkg.go.dev/vuln/GO-2025-3786
Code Behaviors & Features
Detect and mitigate CVE-2025-52903 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →