CVE-2025-66545 – This vulnerability in Nextcloud Groupfolders al... (How to Fix)

Q: What is the severity of CVE-2025-66545?

CVE-2025-66545 has a CVSS score of 3.5 (LOW). This vulnerability in Nextcloud Groupfolders allows users with read-only permissions to restore files from the trash bin, bypassing intended access controls. It affects all Nextcloud instances with Groupfolders app installed before specific patched versions. This could lead to unauthorized file restoration and potential data integrity issues.

📋 TL;DR

This vulnerability in Nextcloud Groupfolders allows users with read-only permissions to restore files from the trash bin, bypassing intended access controls. It affects all Nextcloud instances with Groupfolders app installed before specific patched versions. This could lead to unauthorized file restoration and potential data integrity issues.

💻 Affected Systems

Products:

Nextcloud Groupfolders app

Versions: All versions before 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2

Operating Systems: All platforms running Nextcloud

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects instances with the Groupfolders app installed and configured. Requires user accounts with read-only access to group folders.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

A malicious user with read-only access could restore sensitive deleted files, potentially exposing confidential information or restoring malicious content that was intentionally removed.

🟠

Likely Case

Accidental or intentional restoration of deleted files by users who shouldn't have that capability, potentially causing data management issues or minor data leaks.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to minor data integrity issues within group folders.

🌐 Internet-Facing: MEDIUM - If Nextcloud is internet-facing, any authenticated user with read-only access could exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal users with read-only access could still exploit this, though attack surface is smaller than internet-facing deployments.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple UI interaction or API call to restore trashed files

Exploitation requires authenticated user with read-only access to a group folder. The vulnerability is in the trash restoration functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, or 20.1.2 depending on your Nextcloud version

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m

Restart Required: No

Instructions:

1. Update Nextcloud Groupfolders app via Nextcloud app store or command line. 2. For command line: sudo -u www-data php occ app:update groupfolders. 3. Verify update completed successfully.

🔧 Temporary Workarounds

Disable trash functionality

all

Temporarily disable trash bin for group folders to prevent restoration attempts

Modify group folder permissions

all

Remove read-only access from users who don't need it, or convert to write access where appropriate

🧯 If You Can't Patch

Implement strict access controls and monitor group folder activity logs
Educate users about proper file deletion procedures and risks of unauthorized restoration

🔍 How to Verify

Check if Vulnerable:

Check Groupfolders app version in Nextcloud admin settings. If version is below patched versions listed in affected_systems, you are vulnerable.

Check Version:

sudo -u www-data php occ app:list | grep groupfolders

Verify Fix Applied:

After update, verify Groupfolders app version shows patched version. Test with a read-only user account that they cannot restore files from trash.

📡 Detection & Monitoring

Log Indicators:

Failed trash restoration attempts by read-only users
Successful file restoration events from users with only read permissions

Network Indicators:

API calls to trash restoration endpoints from unauthorized users

SIEM Query:

source="nextcloud.log" AND "restore" AND "trash" AND user_permission="read"

📊 Metadata

CVE ID: CVE-2025-66545

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-707

EPSS Score: 0.02% exploit probability (5.3th percentile)

Published: December 5, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58 Patch
https://github.com/nextcloud/groupfolders/issues/4041 Issue Tracking
https://github.com/nextcloud/groupfolders/pull/4076 Issue Tracking,Patch
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66545, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Group Folders by Nextcloud

Group Folders by Nextcloud

Group Folders by Nextcloud

Group Folders by Nextcloud

Group Folders by Nextcloud

Group Folders by Nextcloud

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable trash functionality

Modify group folder permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities