CVE-2025-52904 Overview
CVE-2025-52904 affects File Browser, a web application that provides a file management interface within a configured directory scope. The vulnerability exists in the Command Execution feature of File Browser versions on the 2.x branch prior to v2.33.8. While users are assigned scopes that restrict file access, the Command Execution feature does not honor those scope boundaries. An authenticated user granted execute permissions can run arbitrary shell commands, gaining read and write access to every file managed by the server. The maintainers recommend disabling the Execute commands capability for all accounts, and this feature ships disabled by default starting in v2.33.8, including for upgrades of existing installations.
Critical Impact
An authenticated File Browser user with execute permissions can break out of their assigned scope and access or modify any file the server process can reach, leading to full compromise of managed data.
Affected Products
- File Browser v2.32.0 and earlier 2.x branch releases
- File Browser deployments with the Execute commands capability enabled for any account
- File Browser installations upgraded from older releases without applying v2.33.8 defaults
Discovery Timeline
- 2025-06-26 - CVE-2025-52904 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-52904
Vulnerability Analysis
File Browser implements a scope model where each user account is bound to a directory subtree. File operations such as upload, delete, preview, rename, and edit are filtered through that scope. The Command Execution feature, however, executes shell commands directly in the context of the File Browser server process. These commands are not constrained by the per-user scope, so any binary, path, or file accessible to the server process becomes reachable from a restricted account. The flaw is categorized as a Command Injection issue tracked under CWE-77.
Root Cause
The root cause is a missing authorization boundary between the scope enforcement layer and the command execution subsystem. Scope checks apply to file API handlers, but the command runner invokes the operating system shell without remapping the working directory, validating arguments against the scope, or sandboxing the child process. Any privilege the server holds on disk becomes implicitly delegated to the executing user.
Attack Vector
Exploitation requires an authenticated account that has the Execute commands permission enabled by an administrator. The attacker sends a command through the File Browser command interface and receives the output of a process that runs with the privileges of the File Browser daemon. From that shell context the attacker can read configuration files, exfiltrate other tenants' data, modify files outside the assigned scope, or pivot to other services reachable from the host. The high attack complexity reflects the prerequisite that an administrator must have explicitly enabled the command execution feature and granted the permission, despite documented warnings.
The vulnerability is described in prose because no verified proof-of-concept code has been published. Refer to the GitHub Security Advisory GHSA-hc8f-m8g5-8362 and the SBA Research Advisory SBA-ADV-20250326-01 for additional technical context.
Detection Methods for CVE-2025-52904
Indicators of Compromise
- Unexpected child processes spawned by the File Browser binary, such as sh, bash, cmd.exe, or powershell.exe.
- File reads or writes by the File Browser process targeting paths outside any configured user scope.
- File Browser audit log entries showing command execution events from non-administrative accounts.
- Outbound network connections originating from the File Browser process to attacker-controlled hosts.
Detection Strategies
- Inventory all File Browser instances and inspect their configuration to identify accounts with the Execute commands permission enabled.
- Enable verbose logging on File Browser and forward command execution events to a centralized log platform for review.
- Build behavioral rules that flag any shell process whose parent is the File Browser daemon.
- Correlate File Browser command events with file system telemetry to identify access outside the user's scope.
Monitoring Recommendations
- Continuously monitor process lineage on hosts running File Browser to identify shell descendants.
- Alert on configuration changes that re-enable the Execute commands feature after a v2.33.8 upgrade.
- Track read access to sensitive files such as /etc/passwd, SSH keys, and File Browser's own database from the File Browser process.
How to Mitigate CVE-2025-52904
Immediate Actions Required
- Upgrade File Browser to v2.33.8 or later, which disables the Execute commands feature by default.
- Disable the Execute commands capability for every account until the upgrade is complete.
- Audit existing accounts and revoke execute permissions that are not required for documented workflows.
- Rotate credentials and review logs on any host where unauthorized command execution may have occurred.
Patch Information
The File Browser maintainers released v2.33.8 with the Execute commands feature disabled by default for both new and existing installations. The fix is documented in GitHub Security Advisory GHSA-hc8f-m8g5-8362 and tracked as GO-2025-3793. The maintainers' position is that command execution is an inherently dangerous feature that should remain off unless an operator has accepted the risk.
Workarounds
- Set the commands permission to an empty list for every user and the global default in the File Browser configuration.
- Run File Browser inside a minimal container image, such as a distroless base, so no shell binary is available to invoke.
- Apply OS-level sandboxing such as seccomp, AppArmor, or the techniques described in this sandboxing reference to restrict syscalls and filesystem access for the File Browser process.
- Place File Browser behind an authenticating reverse proxy and restrict administrative endpoints to trusted networks.
# Configuration example: disable command execution for all users
filebrowser users update <username> --commands ""
filebrowser config set --commands ""
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

