Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64523

CVE-2025-64523: Filebrowser Auth Bypass Vulnerability

CVE-2025-64523 is an authentication bypass flaw in Filebrowser that allows authenticated users to delete others' shared links without authorization. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2025-64523 Overview

CVE-2025-64523 is an Insecure Direct Object Reference (IDOR) vulnerability in File Browser, a web application that provides a file managing interface within a specified directory. The flaw exists in the share deletion functionality of versions prior to 2.45.1. Any authenticated user with share permissions can delete shared links owned by other users because the application fails to perform ownership or authorization checks before processing deletion requests. This enables attackers to disrupt collaborative workflows, remove shared resources, and break links referenced in business operations. Version 2.45.1 contains the official fix. The vulnerability is tracked under CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key).

Critical Impact

Authenticated users can delete other users' shared links without authorization, causing denial of service for legitimate collaborators and potential data confidentiality breaches in shared environments.

Affected Products

  • File Browser (filebrowser/filebrowser) versions prior to 2.45.1
  • All deployments exposing the share management API to authenticated users
  • Self-hosted File Browser instances used for collaborative file sharing

Discovery Timeline

  • 2025-11-12 - CVE-2025-64523 published to the National Vulnerability Database (NVD)
  • 2025-11-12 - GitHub Security Advisory GHSA-6cqf-cfhv-659g published
  • 2025-11-12 - Patch commit 291223b released in version 2.45.1
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64523

Vulnerability Analysis

The vulnerability resides in the share deletion endpoint of File Browser. When an authenticated user submits a request to delete a share, the server identifies the share by an attacker-controllable identifier such as a share hash or ID. The handler does not verify that the requesting user owns the share or holds administrative privileges. As a result, any user account with share permissions can submit a deletion request for any share identifier in the system. The server processes the request and removes the share record. This pattern matches the CWE-639 class of authorization bypass through user-controlled keys.

Root Cause

The root cause is a missing authorization check in the share deletion handler. The application authenticates the user and confirms the user has the generic share permission, but it does not compare the share record's owner field against the requesting user's identity. Authentication is conflated with authorization.

Attack Vector

An attacker requires an authenticated File Browser account with share permissions, which is a common default in multi-user deployments. The attacker enumerates or guesses share identifiers and issues HTTP DELETE requests against the share management API. Each request removes the referenced share regardless of ownership. The attack can be scripted to remove every share in the instance, producing a denial-of-service effect on collaborative workflows.

No verified public proof-of-concept code is available. Refer to the GHSA-6cqf-cfhv-659g advisory and the patch commit diff for technical details of the corrected authorization logic.

Detection Methods for CVE-2025-64523

Indicators of Compromise

  • Unexpected disappearance of shared links reported by users across multiple accounts
  • High volume of HTTP DELETE requests against the /api/share/ endpoint from a single authenticated session
  • Share deletion audit log entries where the actor user differs from the share owner
  • Sequential or enumerated share hashes targeted within a short time window

Detection Strategies

  • Review File Browser application logs and reverse proxy logs for DELETE requests against share endpoints correlated with the requesting user identity
  • Compare share owner fields against the acting user in deletion events to identify cross-user deletions
  • Alert on bursts of share deletion activity exceeding a baseline threshold per user account

Monitoring Recommendations

  • Forward File Browser HTTP access logs and audit events to a centralized logging or SIEM platform for retention and correlation
  • Monitor authentication events for accounts with share permissions, especially newly created or low-privilege accounts
  • Track the running version of File Browser across deployments and alert when instances remain below 2.45.1

How to Mitigate CVE-2025-64523

Immediate Actions Required

  • Upgrade File Browser to version 2.45.1 or later on all instances
  • Audit existing shares and restore any links that were deleted without authorization
  • Review user accounts with share permissions and remove unnecessary privileges
  • Inspect application logs for prior exploitation activity targeting the share deletion endpoint

Patch Information

The maintainers released the fix in File Browser version 2.45.1 through commit 291223b3cefe1e50fae8f73d70464b1dc25351a4. The patch adds an ownership check that verifies the requesting user owns the share or holds administrative privileges before processing the deletion. Full details are documented in GitHub Security Advisory GHSA-6cqf-cfhv-659g.

Workarounds

  • Restrict the share permission to administrative users only until the patch is applied
  • Place File Browser behind a reverse proxy that enforces additional access controls on the share management API
  • Implement regular automated backups of the File Browser database to enable rapid restoration of deleted share records
  • Limit File Browser exposure to trusted networks where feasible
bash
# Upgrade File Browser to the patched version
# Docker deployment example
docker pull filebrowser/filebrowser:v2.45.1
docker stop filebrowser && docker rm filebrowser
docker run -d --name filebrowser \
  -v /srv/filebrowser/data:/srv \
  -v /srv/filebrowser/database.db:/database.db \
  -v /srv/filebrowser/settings.json:/.filebrowser.json \
  filebrowser/filebrowser:v2.45.1

# Verify version after upgrade
docker exec filebrowser /filebrowser version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.