Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit fe755ef6feaa · 2025-11-13T22:37:53.000Z
GHSA-6cqf-cfhv-659g GHSA-6jqf-mv7m-3q7p
diff --git a/advisories/github-reviewed/2025/11/GHSA-6cqf-cfhv-659g/GHSA-6cqf-cfhv-659g.json b/advisories/github-reviewed/2025/11/GHSA-6cqf-cfhv-659g/GHSA-6cqf-cfhv-659g.json
@@ -0,0 +1,84 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6cqf-cfhv-659g",
+  "modified": "2025-11-13T22:34:51Z",
+  "published": "2025-11-13T22:34:51Z",
+  "aliases": [
+    "CVE-2025-64523"
+  ],
+  "summary": "File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share Deletion Function",
+  "details": "### Summary\nIt has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks.\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.\n\n### Details\n**Technical Analysis**\n\nThe vulnerability exists in` /http/share.go` at lines 72-82. The shareDeleteHandler function processes deletion requests using only the share hash without comparing the link.UserID with the current authenticated user's ID (d.user.ID). This missing authorization check enables the vulnerability.\n\n```\nvar shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n    hash := strings.TrimSuffix(r.URL.Path, \"/\")\n    hash = strings.TrimPrefix(hash, \"/\")\n\n    if hash == \"\" {\n        return http.StatusBadRequest, nil\n    }\n\n    err := d.store.Share.Delete(hash)  // Missing ownership validation\n    return errToStatus(err), err\n})\n```\n\n### PoC\n**Reproduce Steps:**\n\nPrerequisites: Two authenticated user accounts (User A and User B) with share permissions\n\nStep 1: User A creates a share link and obtains the share hash (e.g., MEEuZK-v)\n\nStep 2: User B authenticates and obtains a valid JWT token\n\nStep 3: User B sends DELETE request to /api/share/MEEuZK-v with their own JWT token\n\nStep 4: Observe that User A's share is deleted without authorization\n\nDELETE /api/share/MEEuZK-v HTTP/1.1\nHost: filebrowser.local\nContent-Type: application/json\n\n### Impact\n\nThe impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/filebrowser/filebrowser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 2.45.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/filebrowser/filebrowser/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.45.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64523"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/filebrowser/filebrowser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-13T22:34:51Z",
+    "nvd_published_at": "2025-11-12T23:15:39Z"
+  }
+}
diff --git a/advisories/github-reviewed/2025/11/GHSA-6jqf-mv7m-3q7p/GHSA-6jqf-mv7m-3q7p.json b/advisories/github-reviewed/2025/11/GHSA-6jqf-mv7m-3q7p/GHSA-6jqf-mv7m-3q7p.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6jqf-mv7m-3q7p",
+  "modified": "2025-11-13T22:36:01Z",
+  "published": "2025-11-13T22:36:01Z",
+  "aliases": [],
+  "summary": "File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency",
+  "details": "The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\n\nSee https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/filebrowser/filebrowser/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.45.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.45.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6jqf-mv7m-3q7p"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/filebrowser/filebrowser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1395"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-11-13T22:36:01Z",
+    "nvd_published_at": null
+  }
+}
