CVE-2025-53826: File Browser’s insecure JWT handling can lead to session replay attacks after logout

July 16, 2025 (updated July 29, 2025)

File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE’s listed in this report for further reference and system standards. In summary, the main issue is:

Tokens remain valid after logout (session replay attacks)

In this report, I used docker as the documentation instruct:

docker run \
-v filebrowser_data:/srv \
-v filebrowser_database:/database \
-v filebrowser_config:/config \
-p 8080:80 \
filebrowser/filebrowser

References

github.com/advisories/GHSA-7xwp-2cpp-p8r7
github.com/filebrowser/filebrowser
github.com/filebrowser/filebrowser/issues/5216
github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7
nvd.nist.gov/vuln/detail/CVE-2025-53826

Code Behaviors & Features

Detect and mitigate CVE-2025-53826 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →