Command Execution Vulnerability in File Browser by Filebrowser
CVE-2025-52904

8.1HIGH

Key Information:

Vendor

Filebrowser

Status
Filebrowser
Vendor
CVE Published:
26 June 2025

What is CVE-2025-52904?

The File Browser application, in version 2.32.0, presents a significant security concern due to its command execution feature, which permits the execution of shell commands outside the restricted user scope. This vulnerability enables unauthorized read and write access to sensitive server files, creating opportunities for potential exploitation. Users are urged to disable the command execution capability as a precautionary measure. For heightened security, it is advisable to employ a distroless container image when operationalizing the File Browser, particularly for setups where command execution is unnecessary. A patch has been made available to disable this feature by default, clarifying its opt-in nature, while comprehensive documentation updates advise users about the risks associated with enabling this feature.

Affected Version(s)

filebrowser = 2.32.0

References

https://github.com/filebrowser/filebrowser/security/advis...
x_refsource_CONFIRM
https://github.com/filebrowser/filebrowser/issues/5199
x_refsource_MISC
https://github.com/GoogleContainerTools/distroless
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2025-52904 : Command Execution Vulnerability in File Browser by Filebrowser