We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2025-52995

File Browser vulnerable to command execution allowlist bypass



Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.

Reserved 2025-06-24 | Published 2025-06-30 | Updated 2025-06-30 | Assigner GitHub_M


HIGH: 8.1CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

Product status

< 2.33.10
affected

References

github.com/...rowser/security/advisories/GHSA-w7qc-6grj-w7r8

github.com/...ommit/4d830f707fc4314741fd431e70c2ce50cd5a3108

github.com/filebrowser/filebrowser/releases/tag/v2.33.10

cve.org (CVE-2025-52995)

nvd.nist.gov (CVE-2025-52995)

Download JSON

Share this page
https://cve.threatint.eu/CVE/CVE-2025-52995

Support options

Helpdesk Chat, Email, Knowledgebase
© Copyright 2025 THREATINT
Made in Cyprus with +
 System status
Find us on
Data Privacy
Terms of Use
Logo BSI Allianz für Cyber-Sicherheit
Error loading Crisp.chat. Please check your web content filter and browser plugins.