Summary
[!NOTE]
This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this new advisory to make it clear that all vulnerabilities concerning this feature are disclosed.
For more information about tracking vulnerability issues related to the Command Execution features, check https://github.com/filebrowser/filebrowser/issues/5199.
Summary
In the web application, all users have a scope assigned, and they only have access to the files within that scope.
The Command Execution feature of Filebrowser allows the execution of shell commands which are not restricted to the scope, potentially giving an attacker read and write access to all files managed by the server.
Impact
Shell commands are executed with the uid of the server process without any further restrictions.
This means, that they will have access to at least
- all files managed by the application from all scopes, even those the user does not have access to in the GUI.
- the Filebrowser database file containing the password hashes of all accounts.
The concrete impact depends on the commands being granted to the attacker, but due to other vulnerabilities identified ("Bypass Command Execution Allowlist", "Shell Commands Can Spawn Other Commands", "Insecure File Permissions") it is likely, that full read- and write-access will exist.
Read access to the database means, that the attacker is capable of extracting all user password hashes.
This enables an offline dictionary attack on the passwords of all accounts, though the choice of the password hash function (bcrypt with a complexity of 10) gives a strong protection against such attacks.
Write access to the database means that attackers are capable of changing a user's password hash, allowing them to impersonate any user account, including an administrator.
Vulnerability Description
Shell commands executed by a user are created as a simple subprocess of the application without any further restrictions.
That means, that they have full access to files accessible by the application.
The scope that is assigned to every account is not considered.
As a prerequisite, an attacker needs an account with the Execute Commands permission and some permitted commands.
Proof of Concept
Any exploit highly depends on the commands granted to the attacker.
The following screenshot shows, how all password hashes can be extracted using only the grep command:
Recommended Countermeasures
Until this issue is fixed, we recommend to completely disable Execute commands for all accounts.
Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration.
As a defense-in-depth measure, organizations not requiring command execution should operate the Filebrowser from a distroless container image.
There are two approaches to fixing this issue:
- Limiting the process when it is started e.g., by using user namespaces with a tool like Bubblewrap. If this path is chosen, it is important to use a method that works both on a bare-metal server and within an unprivileged container.
- Re-architecting the command execution feature so that file in the various scopes have a distinct uid as an owner and all shell command are executed under the uid of the user's scope.
Timeline
2025-03-26Identified the vulnerability in version 2.32.02025-04-11Contacted the project2025-04-18Vulnerability disclosed to the project2025-06-25Uploaded advisories to the project's GitHub repository2025-06-25CVE ID assigned by GitHub2025-06-25A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on https://github.com/filebrowser/filebrowser/issues/5199.
References
- Sandboxing Applications with Bubblewrap: Securing a Basic Shell
- "Distroless" Container Images.
- Original Advisory
Credits
- Mathias Tausig (SBA Research)
Impact
Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command. Typical impact: arbitrary command execution in the application's environment.
CVE-2025-52904 has a CVSS score of 8.0 (High). The vector is network-reachable, high privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.33.8); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-52904? CVE-2025-52904 is a high-severity command injection vulnerability in github.com/filebrowser/filebrowser/v2 (go), affecting versions < 2.33.8. It is fixed in 2.33.8. Untrusted input is inserted into a command that is later executed by the application, allowing the attacker to alter the intent of that command.
- How severe is CVE-2025-52904? CVE-2025-52904 has a CVSS score of 8.0 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of github.com/filebrowser/filebrowser/v2 are affected by CVE-2025-52904? github.com/filebrowser/filebrowser/v2 (go) versions < 2.33.8 is affected.
- Is there a fix for CVE-2025-52904? Yes. CVE-2025-52904 is fixed in 2.33.8. Upgrade to this version or later.
- Is CVE-2025-52904 exploitable, and should I be worried? Whether CVE-2025-52904 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-52904 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2025-52904? Upgrade
github.com/filebrowser/filebrowser/v2to 2.33.8 or later.