CVE-2025-52901— File Browser allows sensitive data to be transferred in URL
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-52901
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
File Browser allows sensitive data to be transferred in URL
Source: NVD (National Vulnerability Database)
Vulnerability Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过GET请求中的查询字符串导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
FileBrowser 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FileBrowser是开源的一款网页文件浏览器。提供指定目录下的文件管理界面,可用于上传、删除、预览、重命名和编辑您的文件。它允许创建多个用户,每个用户可以有自己的目录。它可以用作独立的应用程序或中间件。 FileBrowser 2.33.9之前版本存在安全漏洞,该漏洞源于访问令牌作为GET参数传递,可能导致会话标识符泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| filebrowser | filebrowser | < 2.33.9 | - |
II. Public POCs for CVE-2025-52901
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-52901
请登录查看更多情报信息。
Same Patch Batch · filebrowser · 2025-06-30 · 4 CVEs total
| CVE-2025-52995 | 8.1 HIGH | File Browser vulnerable to command execution allowlist bypass |
| CVE-2025-52997 | 5.9 MEDIUM | File Browser Insecurely Handles Passwords |
| CVE-2025-52996 | 3.1 LOW | File Browser's Password Protection of Links Vulnerable to Bypass |
IV. Related Vulnerabilities
Same product: filebrowser
- CVE-2026-35607
File Browser: Proxy auth auto-provisioned users inherit Exec - CVE-2026-35606
File Browser discloses text file content via /api/resources - CVE-2026-35605
File Browser has an access rule bypass via HasPrefix without - CVE-2026-35604
File Browser share links remain accessible after Share/Downl - CVE-2026-35585
File Browser has a Command Injection via Hook Runner
Same vendor: filebrowser
- CVE-2026-35607
File Browser: Proxy auth auto-provisioned users inherit Exec - CVE-2026-35606
File Browser discloses text file content via /api/resources - CVE-2026-35605
File Browser has an access rule bypass via HasPrefix without - CVE-2026-35604
File Browser share links remain accessible after Share/Downl - CVE-2026-35585
File Browser has a Command Injection via Hook Runner
Same weakness: CWE-598
- CVE-2026-34020
Apache OpenMeetings: Login Credentials Passed via GET Query - CVE-2026-25118
immich-server: Insecure Transmission of Authentication Crede - CVE-2026-33620
PinchTab: API Bearer Token Exposed in URL Query Parameter vi - CVE-2025-14808
IBM InfoSphere Information Server is vulnerable due to discl - CVE-2026-31381
Gainsight Assist plugin information disclosure
V. Comments for CVE-2025-52901
No comments yet