Login Sign Up

CVE-2025-66548

3.3 LOW

📋 TL;DR

This vulnerability in Nextcloud Deck allows attackers to spoof file extensions using Right-to-Left Override (RTLO) characters, tricking users into downloading files with different extensions than displayed. Users of Nextcloud Deck versions before 1.12.7, 1.14.4, and 1.15.1 are affected when downloading files from the Deck application.

💻 Affected Systems

Products:
  • Nextcloud Deck
Versions: Versions before 1.12.7, 1.14.4, and 1.15.1
Operating Systems: All platforms running Nextcloud Deck
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects file downloads from the Deck application. Requires user interaction to download the spoofed file.

📦 What is this software?

Deck by Nextcloud

View all CVEs affecting Deck →

Deck by Nextcloud

View all CVEs affecting Deck →

Deck by Nextcloud

View all CVEs affecting Deck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Users download malicious executables disguised as benign documents, leading to malware infection, data theft, or system compromise.

🟠

Likely Case

Users download files with unexpected extensions, potentially executing malicious scripts or opening dangerous file types.

🟢

If Mitigated

Users are warned about suspicious file extensions or downloads are blocked by security software.

🌐 Internet-Facing: MEDIUM - Exploitable if Nextcloud instance is internet-facing and users download files from Deck.
🏢 Internal Only: MEDIUM - Internal users can still be tricked into downloading malicious files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires user to download a file. Proof of concept available in HackerOne report #2326618.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.12.7, 1.14.4, or 1.15.1

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-xjvq-xvr7-xpg6

Restart Required: No

Instructions:

1. Update Nextcloud Deck to version 1.12.7, 1.14.4, or 1.15.1 via Nextcloud app store or manual installation. 2. Clear Nextcloud cache if issues persist.

🔧 Temporary Workarounds

Disable file downloads from Deck

all

Temporarily disable file attachment/download functionality in Deck until patched.

User education

all

Warn users about suspicious file downloads and verify file extensions before opening.

🧯 If You Can't Patch

  • Implement web application firewall rules to block RTLO characters in file names
  • Configure endpoint protection to scan all downloads from Nextcloud for malicious content

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud Deck version in Nextcloud admin settings under 'Apps' > 'Deck'.

Check Version:

Check Nextcloud admin interface or run: php occ app:list | grep deck

Verify Fix Applied:

Verify Deck version is 1.12.7, 1.14.4, or 1.15.1 or higher in Nextcloud admin settings.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file download patterns from Deck
  • Files with RTLO characters in names

Network Indicators:

  • File downloads from Deck with unusual extensions

SIEM Query:

source="nextcloud" AND (event="file_download" OR event="deck_attachment") AND filename MATCHES "\\u202E"

📊 Metadata

CVE ID: CVE-2025-66548
CVSS v3 Score: 3.3 (LOW)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-116
EPSS Score: 0.01% exploit probability (1.4th percentile)
Published: December 5, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66548, you might also want to check these:

CVE-2025-55729 10.0

CVE-2025-55729 is a critical remote code execution vulnerability in XWiki Remote Macros that allows ...

Same vulnerability type (CWE-116)
CVE-2022-23603 9.9

CVE-2022-23603 is a code injection vulnerability in iTunesRPC-Remastered, a Discord rich presence ap...

Same vulnerability type (CWE-116)
CVE-2024-38474 9.8

A substitution encoding vulnerability in Apache HTTP Server's mod_rewrite module allows attackers to...

Same vulnerability type (CWE-116)