CVE-2025-66547
📋 TL;DR
This vulnerability allows non-privileged Nextcloud users to modify tags on files they shouldn't have access to through bulk tagging operations. It affects Nextcloud Server and Enterprise Server installations where users have access to the tagging feature. The issue enables unauthorized metadata manipulation but doesn't grant file content access.
💻 Affected Systems
- Nextcloud Server
- Nextcloud Enterprise Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could systematically corrupt or manipulate metadata tags across the entire file repository, potentially disrupting workflows, causing data organization issues, or hiding sensitive files through tag manipulation.
Likely Case
Users accidentally or intentionally modifying tags on files they shouldn't access, causing minor data integrity issues and potential confusion in file organization.
If Mitigated
With proper access controls and monitoring, impact is limited to metadata corruption on a subset of files, which can be audited and corrected.
🎯 Exploit Status
Exploitation requires authenticated user access and knowledge of the bulk tagging feature. The vulnerability was responsibly disclosed through HackerOne.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 31.0.1
Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2
Restart Required: No
Instructions:
1. Backup your Nextcloud installation and database. 2. Update Nextcloud to version 31.0.1 or later using the updater in the admin interface or manually via command line. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
Disable Tagging Feature
linuxTemporarily disable the tagging functionality for all users until patching can be completed.
occ config:app:set core enable_file_tags --value false
🧯 If You Can't Patch
- Implement strict access controls and monitor tag modification activities in logs
- Educate users about proper file access permissions and restrict bulk operations to trusted users only
🔍 How to Verify
Check if Vulnerable:
Check your Nextcloud version in the admin interface under 'Basic settings' or run: occ statusCheck Version:
occ status | grep 'versionstring'Verify Fix Applied:
Confirm version is 31.0.1 or higher and test that users can no longer modify tags on files they lack access to via bulk operations.📡 Detection & Monitoring
Log Indicators:
- Unusual bulk tag modification activities
- Tag changes on files by unauthorized users
- Multiple tag operations in short timeframes
Network Indicators:
- Increased API calls to tagging endpoints
- Bulk POST requests to /apps/files/tags
SIEM Query:
source="nextcloud.log" AND ("tag" OR "bulk") AND ("modif" OR "change" OR "update")🔗 References
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-hq6c-r898-fgf2
- https://github.com/nextcloud/server/commit/b44f1568f2dc97c746281d99e2342ad679e3d8a9
- https://github.com/nextcloud/server/issues/51247
- https://github.com/nextcloud/server/pull/51288
- https://hackerone.com/reports/3040887
