CVE-2025-52902
📋 TL;DR
File Browser versions prior to 2.33.7 have a stored cross-site scripting (XSS) vulnerability in the Markdown preview function. When users upload Markdown files containing JavaScript code, that code executes in browsers viewing the preview, potentially compromising user sessions. This affects all File Browser deployments using vulnerable versions.
💻 Affected Systems
- File Browser
📦 What is this software?
Filebrowser by Filebrowser
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, take over administrative sessions, upload malicious files, delete or modify all files, and pivot to underlying systems if File Browser runs with elevated privileges.
Likely Case
Attackers inject malicious JavaScript to steal user session cookies, redirect users to phishing sites, or perform actions on behalf of authenticated users.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Exploitation requires an attacker to upload a malicious Markdown file and a victim to preview it. The advisory includes technical details that could be weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.33.7
Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97
Restart Required: Yes
Instructions:
1. Stop File Browser service. 2. Backup configuration and data. 3. Update to version 2.33.7 or later using your package manager or by downloading from GitHub releases. 4. Restart File Browser service. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Markdown Preview
allDisable the Markdown preview functionality in File Browser configuration to prevent exploitation.
Edit configuration file to set "preview" to false for Markdown files
Restrict File Uploads
allLimit file upload permissions to trusted users only and implement file type validation.
Configure File Browser to restrict uploads to specific user groups
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent script execution from untrusted sources
- Deploy a web application firewall (WAF) with XSS protection rules to block malicious payloads
🔍 How to Verify
Check if Vulnerable:
Check File Browser version: if version is less than 2.33.7, the system is vulnerable. Test by uploading a Markdown file with <script>alert('XSS')</script> and previewing it.Check Version:
filebrowser versionVerify Fix Applied:
After updating to 2.33.7 or later, attempt the same XSS test - the script should not execute and should be displayed as plain text.📡 Detection & Monitoring
Log Indicators:
- Unusual file upload patterns, particularly Markdown files with JavaScript content
- Multiple failed preview attempts with suspicious content
Network Indicators:
- HTTP requests containing JavaScript payloads in file preview endpoints
- Unexpected outbound connections from File Browser server after file previews
SIEM Query:
source="filebrowser.log" AND ("preview" OR "markdown") AND ("script" OR "javascript" OR "onload" OR "onerror")