Vulnerability in Nextcloud Desktop Affects User Data Sharing Capabilities
CVE-2025-47792

5MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
16 May 2025

What is CVE-2025-47792?

Nextcloud Desktop, the synchronization client for Nextcloud, is affected by a vulnerability that allows third-party applications on a user's machine to exploit the socket API. This can lead to unauthorized creation of link shares for nearly all data stored within the Nextcloud environment. These shares can be easily transmitted to external services, posing a severe risk to user data privacy. Nextcloud has addressed this issue in version 3.15, preventing such unauthorized access. Currently, there are no known workarounds for this vulnerability.

Affected Version(s)

security-advisories < 3.15

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/desktop/pull/7517
x_refsource_MISC
https://hackerone.com/reports/1995856
x_refsource_MISC

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.