CVE-2025-52903 – CVE-2025-52903 is a command injection vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-52903?

CVE-2025-52903 has a CVSS score of 8.0 (HIGH). CVE-2025-52903 is a command injection vulnerability in File Browser version 2.32.0 that allows authenticated users with 'Execute commands' permission to bypass allowlist restrictions and execute arbitrary shell commands. This grants full code execution rights with the server process privileges. All deployments using the vulnerable version with command execution enabled are affected.

📋 TL;DR

CVE-2025-52903 is a command injection vulnerability in File Browser version 2.32.0 that allows authenticated users with 'Execute commands' permission to bypass allowlist restrictions and execute arbitrary shell commands. This grants full code execution rights with the server process privileges. All deployments using the vulnerable version with command execution enabled are affected.

💻 Affected Systems

Products:

File Browser

Versions: Version 2.32.0 specifically

Operating Systems: All platforms running File Browser

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if 'Execute commands' feature is enabled for user accounts. The feature is not enabled by default but was previously opt-out rather than opt-in.

📦 What is this software?

Filebrowser by Filebrowser

View all CVEs affecting Filebrowser →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary commands, access sensitive data, install malware, pivot to other systems, and maintain persistent access.

🟠

Likely Case

Authenticated users with command execution permissions can bypass restrictions to run unauthorized commands, potentially leading to data exfiltration, privilege escalation, or lateral movement.

🟢

If Mitigated

With command execution disabled or proper containerization, impact is limited to file management operations only.

🌐 Internet-Facing: HIGH if command execution is enabled and accessible from the internet, as authenticated users can achieve full RCE.

🏢 Internal Only: HIGH for internal deployments with command execution enabled, as authenticated users can still achieve full RCE within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with 'Execute commands' permission. Attackers can bypass allowlist restrictions using standard commands that allow subcommand execution.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version with patch not explicitly specified, but feature disabled in all existing installations

Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4

Restart Required: Yes

Instructions:

1. Update to latest File Browser version. 2. Ensure 'Execute commands' feature is disabled in configuration. 3. Restart File Browser service. 4. Verify command execution is disabled for all user accounts.

🔧 Temporary Workarounds

Disable Execute Commands Feature

all

Completely disable the command execution feature in File Browser configuration

Edit File Browser configuration file to set command execution to disabled
Set appropriate permissions in user management interface

Use Distroless Container

linux

Run File Browser in a distroless container as defense-in-depth measure

docker run -d --name filebrowser -v /path/to/files:/srv -v /path/to/database.db:/database.db -p 8080:80 filebrowser/filebrowser:distroless

🧯 If You Can't Patch

Immediately disable 'Execute commands' permission for ALL user accounts in File Browser
Implement network segmentation to isolate File Browser instances and restrict access to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check File Browser version and verify if 'Execute commands' feature is enabled for any user accounts

Check Version:

filebrowser version

Verify Fix Applied:

Confirm 'Execute commands' feature is disabled in configuration and no user accounts have this permission enabled

📡 Detection & Monitoring

Log Indicators:

Unusual command execution patterns
Multiple failed command attempts followed by successful execution
Commands not in the predefined allowlist being executed

Network Indicators:

Unexpected outbound connections from File Browser server
Unusual network traffic patterns to/from File Browser instance

SIEM Query:

source="filebrowser.log" AND ("command execution" OR "shell command" OR "exec") AND NOT (allowed_command1 OR allowed_command2)

📊 Metadata

CVE ID: CVE-2025-52903

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-77

EPSS Score: 0.26% exploit probability (49.1th percentile)

Published: June 26, 2025

Last Updated: August 5, 2025

🔗 References

https://github.com/GoogleContainerTools/distroless Product
https://github.com/filebrowser/filebrowser/issues/5199 Issue Tracking
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 Exploit,Mitigation,Vendor Advisory
https://manpages.debian.org/bookworm/util-linux/prlimit.1.en.html Technical Description
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3q2w-42mv-cph4 Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-52903, you might also want to check these: