x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-6cqf-cfhv-659g

[GoVulnBot]

Advisory GHSA-6cqf-cfhv-659g references a vulnerability in the following Go modules:

Module
github.com/filebrowser/filebrowser
github.com/filebrowser/filebrowser/v2

Description:

Summary

It has been found an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks.

The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, th...

References:

• ADVISORY: GHSA-6cqf-cfhv-659g
• ADVISORY: GHSA-6cqf-cfhv-659g
• ADVISORY: https://nvd.nist.gov/vuln/detail/CVE-2025-64523
• FIX: filebrowser/filebrowser@291223b

Cross references:

• github.com/filebrowser/filebrowser appears in 10 other report(s):
  • data/reports/GO-2025-3784.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-4wx8-5gm2-2j97 #3784)
  • data/reports/GO-2025-3785.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-jj2r-455p-5gvf #3785)
  • data/reports/GO-2025-3786.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3q2w-42mv-cph4 #3786)
  • data/reports/GO-2025-3790.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3v48-283x-f2w4 #3790)
  • data/reports/GO-2025-3792.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-cm2r-rg7r-p7gg #3792)
  • data/reports/GO-2025-3793.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-hc8f-m8g5-8362 #3793)
  • data/reports/GO-2025-3794.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-rmwh-g367-mj4x #3794)
  • data/reports/GO-2025-3795.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-w7qc-6grj-w7r8 #3795)
  • data/reports/GO-2025-3811.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xqm-7738-642x #3811)
  • data/reports/GO-2025-3812.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xwp-2cpp-p8r7 #3812)
• github.com/filebrowser/filebrowser/v2 appears in 11 other report(s):
  • data/reports/GO-2022-0563.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-72wf-hwcq-65h9 #563)
  • data/reports/GO-2025-3784.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser/v2: GHSA-4wx8-5gm2-2j97 #3784)
  • data/reports/GO-2025-3785.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-jj2r-455p-5gvf #3785)
  • data/reports/GO-2025-3786.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3q2w-42mv-cph4 #3786)
  • data/reports/GO-2025-3790.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-3v48-283x-f2w4 #3790)
  • data/reports/GO-2025-3792.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-cm2r-rg7r-p7gg #3792)
  • data/reports/GO-2025-3793.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-hc8f-m8g5-8362 #3793)
  • data/reports/GO-2025-3794.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-rmwh-g367-mj4x #3794)
  • data/reports/GO-2025-3795.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-w7qc-6grj-w7r8 #3795)
  • data/reports/GO-2025-3811.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xqm-7738-642x #3811)
  • data/reports/GO-2025-3812.yaml (x/vulndb: potential Go vuln in github.com/filebrowser/filebrowser: GHSA-7xwp-2cpp-p8r7 #3812)

See doc/quickstart.md for instructions on how to triage this report.

id: GO-ID-PENDING
modules:
    - module: github.com/filebrowser/filebrowser
      non_go_versions:
        - introduced: TODO (earliest fixed "", vuln range "< 2.45.1")
      vulnerable_at: 1.11.0
    - module: github.com/filebrowser/filebrowser/v2
      versions:
        - fixed: 2.45.1
      vulnerable_at: 2.45.0
summary: |-
    File Browser is Vulnerable to Insecure Direct Object Reference (IDOR) in Share
    Deletion Function in github.com/filebrowser/filebrowser
cves:
    - CVE-2025-64523
ghsas:
    - GHSA-6cqf-cfhv-659g
references:
    - advisory: https://github.com/advisories/GHSA-6cqf-cfhv-659g
    - advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g
    - advisory: https://nvd.nist.gov/vuln/detail/CVE-2025-64523
    - fix: https://github.com/filebrowser/filebrowser/commit/291223b3cefe1e50fae8f73d70464b1dc25351a4
source:
    id: GHSA-6cqf-cfhv-659g
    created: 2025-11-13T23:01:09.400765683Z
review_status: UNREVIEWED