4.5 CVE-2025-52901

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.9, access tokens are used as GET parameters. The JSON Web Token (JWT) which is used as a session identifier will get leaked to anyone having access to the URLs accessed by the user. This will give an attacker full access to a user's account and, in consequence, to all sensitive files the user has access to. This issue has been patched in version 2.33.9.
https://nvd.nist.gov/vuln/detail/CVE-2025-52901

Categories

CWE-598 : Use of GET Request Method With Sensitive Query Strings
The web application uses the HTTP GET method to process a request and includes sensitive information in the query string of that request. Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) When sensitive information is sent, use the POST method (e.g. registration form). A discussion platform leaks private information in GET requests.

References

 

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:filebrowser:filebrowser:*:*:*:*:*:*:*:*		<= 2.33.0

---

REMEDIATION

---

Patch

Url
https://github.com/filebrowser/filebrowser/commit/d5b39a14fd3fc0d1c364116b412...

---

EXPLOITS

---

Exploit-db.com

id	description	date
No known exploits

---

POC Github

Url
No known exploits

---

Other Nist (github, ...)

Url
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-rmwh-g367...

---

CAPEC

---

Common Attack Pattern Enumerations and Classifications

id	description	severity
No entry

---