Command Execution Vulnerability in File Browser by File Browser Team
CVE-2025-52903

8.1HIGH

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
26 June 2025

What is CVE-2025-52903?

A command execution vulnerability exists in File Browser, where users with 'Execute commands' permissions can execute arbitrary commands due to a flawed allowlist mechanism. The impact is significant as it grants attackers full code execution rights with the server process UID. To mitigate this risk, it is advised to disable the 'Execute commands' feature for all users and utilize a distroless container image. While a patch has been implemented to make this feature opt-in and add warnings, the vulnerability remains unfixed in the project's maintenance-only mode. Users should take immediate precautions to secure their deployments.

Affected Version(s)

filebrowser = 2.32.0

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/issues/5199
x_refsource_MISC
https://github.com/GoogleContainerTools/distroless
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52903 : Command Execution Vulnerability in File Browser by File Browser Team