CVE-2025-64011 – Nextcloud Server 30.0.0 contains an Insecure Di... (How to Fix)

Q: What is the severity of CVE-2025-64011?

CVE-2025-64011 has a CVSS score of 4.3 (MEDIUM). Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference (IDOR) vulnerability in the /core/preview endpoint. Authenticated users can access previews of other users' files by manipulating the fileId parameter, leading to unauthorized data disclosure. This affects all Nextcloud Server 30.0.0 installations with authenticated user access.

📋 TL;DR

Nextcloud Server 30.0.0 contains an Insecure Direct Object Reference (IDOR) vulnerability in the /core/preview endpoint. Authenticated users can access previews of other users' files by manipulating the fileId parameter, leading to unauthorized data disclosure. This affects all Nextcloud Server 30.0.0 installations with authenticated user access.

💻 Affected Systems

Products:

Nextcloud Server

Versions: 30.0.0

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; affects all deployments with the vulnerable version regardless of configuration.

📦 What is this software?

Nextcloud Server by Nextcloud

View all CVEs affecting Nextcloud Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Mass data exfiltration where an attacker systematically accesses sensitive files (financial documents, personal data, confidential business information) from all users, potentially leading to regulatory violations and significant reputational damage.

🟠

Likely Case

Targeted access to specific users' files containing sensitive information like personal documents, images, or business data, violating privacy expectations and potentially exposing confidential information.

🟢

If Mitigated

Limited exposure of non-sensitive files or detection through monitoring before significant data loss occurs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is trivial via parameter manipulation; public proof-of-concept exists in GitHub gists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 30.0.1 or later

Vendor Advisory: https://nextcloud.com

Restart Required: No

Instructions:

1. Backup your Nextcloud installation and database. 2. Update Nextcloud Server to version 30.0.1 or later via the web updater or manual installation. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable preview endpoint

all

Temporarily disable the vulnerable /core/preview endpoint via web server configuration

# For Apache: add to .htaccess
RewriteRule ^core/preview - [F]
# For Nginx: add to server block
location ~ ^/core/preview { return 403; }

Restrict preview access

all

Implement IP-based restrictions or additional authentication for preview endpoints

# Example Apache restriction
<Location /core/preview>
    Require ip 192.168.1.0/24
</Location>

🧯 If You Can't Patch

Implement strict access controls and monitoring on the /core/preview endpoint
Enable detailed logging and alerting for unauthorized file access attempts

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud version via admin panel or run: php occ status | grep version

Check Version:

php occ status | grep version

Verify Fix Applied:

Confirm version is 30.0.1 or later and test that authenticated users cannot access other users' files via /core/preview endpoint

📡 Detection & Monitoring

Log Indicators:

Multiple failed or successful requests to /core/preview with different fileId parameters from same user
Access patterns showing user accessing files outside their normal scope

Network Indicators:

Unusual volume of requests to preview endpoint
Requests with sequential or manipulated fileId parameters

SIEM Query:

source="nextcloud.log" AND (url_path="/core/preview" AND fileId NOT IN user_owned_files)

📊 Metadata

CVE ID: CVE-2025-64011

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-639

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: December 12, 2025

Last Updated: December 19, 2025

🔗 References

https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing Exploit
https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090 Exploit,Third Party Advisory
https://nextcloud.com Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64011, you might also want to check these: