File Upload Vulnerability in Nextcloud Server and Groupfolders App
CVE-2025-47793

4.3MEDIUM

Key Information:

Vendor

Nextcloud
Status
Security-advisories
Vendor
CVE Published:
16 May 2025

What is CVE-2025-47793?

Nextcloud Server, a self-hosted cloud storage solution, and its Groupfolders app experience a significant issue where logged-in users can upload files that exceed the configured quotas for group folders. This vulnerability arises from the lack of quota enforcement on attachments, which allows users to bypass limits set by administrators. Affected versions of Nextcloud Server include those prior to 30.0.2, 29.0.9, and 28.0.1, as well as the Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9. The Groupfolders app is also impacted if versions are below 18.0.3, 17.0.5, or 16.0.11. To mitigate this vulnerability, users should upgrade to the latest versions where this issue has been resolved.

Affected Version(s)

security-advisories >= 30.0.0, < 30.0.2 < 30.0.0, 30.0.2

security-advisories >= 29.0.0, < 29.0.9 < 29.0.0, 29.0.9

security-advisories >= 28.0.0, < 28.0.12 < 28.0.0, 28.0.12

References

https://github.com/nextcloud/security-advisories/security...
x_refsource_CONFIRM
https://github.com/nextcloud/groupfolders/pull/3328
x_refsource_MISC
https://github.com/nextcloud/server/pull/48623
x_refsource_MISC

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.