Summary
Summary
Files managed by the File Browser can be shared with a link to external persons. While the application allows protecting those links with a password, the implementation is error-prone, making an incidental unprotected sharing of a file possible.
Impact
File owners might rest in the assumption that their shared files are only accessible to persons knowing the defined password, giving them a false sense of security. Meanwhile, attackers gaining access to the unprotected link can use this information alone to download the possibly sensitive file.
Vulnerability Description
When sharing a file, the user is presented with a dialog asking for an optional password to protect the file share. The assumption of the user at this point would be, that the shared file won't be accessible without knowledge of the password. After clicking on SHARE the following dialog opens allowing the file's owner to copy the share-link:
In fact, there is not one, but two links offered: A Download Link and an unnamed second one. They have the following format:
- http://filebrowser.local:8080/share/6Gtw0xAw
- http://filebrowser.local:8080/api/public/dl/6Gtw0xAw/dummy1.pdf?token=voDK6j[...]
Apparently, the first of the two share links is that one that users are supposed to actually share, while the second one is a direct download link not protected by the password. This behavior is not documented anywhere or explained in the GUI, though.
There are multiple scenarios how an attacker might gain access to the unprotected link and, in consequence, to the shared file:
- The file owner might incidentally share the second link instead of the first one, making it accessible to anyone having read access to the messaging system used (e.g., a mailserver).
- After the legitimate receiver of the share has used the password, the unprotected link will get linked in multiple locations like the browser history or the log of a proxy server used.
Proof of Concept
Using the first link results in an authorization error if no password is provided, as expected:
GET /api/public/share/6Gtw0xAw HTTP/1.1
Host: filebrowser.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://filebrowser.local:8080/share/6Gtw0xAw
X-Auth:
X-SHARE-PASSWORD:
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Priority: u=4
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline';
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Thu, 27 Mar 2025 10:59:12 GMT
Content-Length: 17
401 Unauthorized
Only if the password is provided (via the X-SHARE-PASSWORD header), a proper response is given:
GET /api/public/share/6Gtw0xAw HTTP/1.1
Host: filebrowser.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://filebrowser.local:8080/share/6Gtw0xAw
X-Auth:
X-SHARE-PASSWORD: 1234
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Priority: u=0
HTTP/1.1 200 OK
Cache-Control: no-cache, no-store, must-revalidate
Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline';
Content-Type: application/json; charset=utf-8
Date: Thu, 27 Mar 2025 10:59:15 GMT
Content-Length: 301
{"path":"","name":"dummy1.pdf","size":7703,"extension":".pdf","modified":"2025-03-27T15:11:45.101242449Z","mode":420,"isDir":false,"isSymlink":false,"type":"pdf","token":"voDK6j[...]"}
But it does not return the actual file content but rather an access token.
This is the very same token that is already part of the second share URL and is used by the web application to recreate the actual download URL.
If you are in possession of that one, no further password check is performed, and the content of the file is returned:
GET /api/public/dl/6Gtw0xAw?inline=true&token=voDK6j[...] HTTP/1.1
Host: filebrowser.local:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Sec-GPC: 1
Connection: keep-alive
Referer: http://filebrowser.local:8080/share/6Gtw0xAw
Upgrade-Insecure-Requests: 1
Priority: u=0, i
HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: private
Content-Disposition: inline
Content-Length: 7703
Content-Security-Policy: default-src 'self'; style-src 'unsafe-inline';
Content-Security-Policy: script-src 'none';
Content-Type: application/pdf
Last-Modified: Mon, 03 Mar 2025 15:11:45 GMT
Date: Thu, 27 Mar 2025 10:59:18 GMT
%PDF-1.4
%Çì¢
%%Invocation: path/gs -P- -dSAFER -dCompatibilityLevel=1.4 -q -P- -dNOPAUSE -dBATCH -sDEVICE=pdfwrite -sstdout=? -sOutputFile=? -P- -dSAFER -dCompatibilityLevel=1.4 -
5 0 obj
[...]
Recommended Countermeasures
A short time solution would be to simple remove the second link from the GUI when a password protected share is created.
Doing so will be a proper defense against user errors, but it will still leave unprotected links in various logs.
A thorough fix has to eliminate the unprotected links completely, access to the file must only be given to requests containing the share password.
Timeline
2025-03-27Identified the vulnerability in version 2.32.02025-04-11Contacted the project2025-04-29Vulnerability disclosed to the project2025-06-25Uploaded advisories to the project's GitHub repository2025-06-25CVE ID assigned by GitHub2025-06-29Mitigation of user error released in version 2.34.22025-06-29Issue #5239 opened to track a more thorough fix of the feature
References
Credits
- Mathias Tausig (SBA Research)
Impact
CVE-2025-52996 has a CVSS score of 3.1 (Low). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. No fixed version is listed yet, so configuration controls and monitoring matter more in the interim.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is CVE-2025-52996? CVE-2025-52996 is a low-severity security vulnerability in github.com/filebrowser/filebrowser (go), affecting versions <= 1.11.0. No fixed version is listed yet.
- How severe is CVE-2025-52996? CVE-2025-52996 has a CVSS score of 3.1 (Low). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which packages are affected by CVE-2025-52996?
github.com/filebrowser/filebrowser(go) (versions <= 1.11.0)github.com/filebrowser/filebrowser/v2(go) (versions <= 2.42.1)
- Is there a fix for CVE-2025-52996? No fixed version is listed for CVE-2025-52996 yet. Monitor the advisory for updates and apply mitigations in the interim.
- Is CVE-2025-52996 exploitable, and should I be worried? Whether CVE-2025-52996 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2025-52996 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.