Business Logic Flaw in FileRise Web-Based File Manager
CVE-2025-62509

8.1HIGH

Key Information:

Vendor

Error311

Status
Filerise
Vendor
CVE Published:
20 October 2025

What is CVE-2025-62509?

FileRise, a self-hosted web-based file manager, suffers from a business logic flaw that permits low-privilege users to conduct unauthorized operations on files created by other users. This vulnerability arises from improper management of folder ownership visibility based on names, lacking essential server-side authorization checks. Attackers can exploit this issue through predictable naming patterns of folders, enabling unauthorized view, delete, or modify operations. As of version 1.4.0, this vulnerability has been addressed, with further security enhancements introduced in version 1.5.0. To mitigate risks, it is recommended to restrict non-admin user permissions and implement stringent server-side ownership checks for file operations.

Affected Version(s)

FileRise < 1.4.0

References

https://github.com/error311/FileRise/security/advisories/...
x_refsource_CONFIRM
https://github.com/error311/FileRise/issues/53
x_refsource_MISC
https://github.com/error311/FileRise/commit/25ce6a76beb60...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-62509 : Business Logic Flaw in FileRise Web-Based File Manager