CVE Alert: CVE-2025-52901
Vulnerability Summary: CVE-2025-52901
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user’s account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.
Affected Endpoints:
- GET parameters
Published Date:
6/30/2025, 8:15:25 PM
⚠️ CVSS Score:
Exploit Status:
Not ExploitedReferences:
- https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b41289484df7c27b2
- https://github.com/filebrowser/filebrowser/releases/tag/v2.33.9
- https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367-mj4x
Recommended Action:
No proposed action available. Please refer to vendor documentation for updates.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
