Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2025-52901

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.

Published

2025-06-30T20:15:25.390

Last Modified

2025-08-04T18:15:35.040

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 4.5 (MEDIUM)

Weaknesses

Type: Secondary
CWE-598

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	filebrowser	filebrowser	≤ 2.33.0	Yes

References

https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2 Patch ([email protected])
https://github.com/filebrowser/filebrowser/releases/tag/v2.33.9 Release Notes ([email protected])
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4x Exploit, Vendor Advisory ([email protected])
https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250327-03_Filebrowser_Sensitive_Data_Transferred_In_URL ([email protected])