CVE-2025-66549 – Nextcloud Desktop client versions before 3.16.5... (How to Fix)

Q: What is the severity of CVE-2025-66549?

CVE-2025-66549 has a CVSS score of 2.4 (LOW). Nextcloud Desktop client versions before 3.16.5 send file paths unencrypted to the server when manually locking files in end-to-end encrypted directories. This allows server administrators to see which files users are accessing in their encrypted folders through server logs. Only affects users of Nextcloud Desktop client with end-to-end encrypted directories.

📋 TL;DR

Nextcloud Desktop client versions before 3.16.5 send file paths unencrypted to the server when manually locking files in end-to-end encrypted directories. This allows server administrators to see which files users are accessing in their encrypted folders through server logs. Only affects users of Nextcloud Desktop client with end-to-end encrypted directories.

💻 Affected Systems

Products:

Nextcloud Desktop

Versions: Versions prior to 3.16.5

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who have enabled end-to-end encrypted directories and manually lock files within those directories.

📦 What is this software?

Desktop by Nextcloud

View all CVEs affecting Desktop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Server administrators could map user activity patterns, identify sensitive files by path names, and potentially correlate encrypted content with specific files.

🟠

Likely Case

Server administrators gain visibility into which encrypted files users are accessing, compromising privacy expectations of end-to-end encryption.

🟢

If Mitigated

With proper access controls, only trusted administrators would see the paths, but privacy expectations of end-to-end encryption would still be violated.

🌐 Internet-Facing: LOW - This is a client-side vulnerability that exposes information to the server, not directly internet-facing.

🏢 Internal Only: MEDIUM - Server administrators gain unauthorized visibility into user activity within supposedly end-to-end encrypted directories.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires server administrator access to view logs. The vulnerability is inherent in the client's behavior when locking files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.16.5

Vendor Advisory: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw

Restart Required: Yes

Instructions:

1. Open Nextcloud Desktop client. 2. Go to Settings > General. 3. Check for updates or manually update to version 3.16.5. 4. Restart the client after update.

🔧 Temporary Workarounds

Avoid manual file locking in encrypted directories

all

Do not manually lock files within end-to-end encrypted directories until patched.

🧯 If You Can't Patch

Disable end-to-end encrypted directories feature temporarily
Implement strict access controls on server logs to limit administrator access

🔍 How to Verify

Check if Vulnerable:

Check Nextcloud Desktop client version in Settings > General. If version is below 3.16.5 and you use end-to-end encrypted directories, you are vulnerable.

Check Version:

On Linux: nextcloud --version; On Windows/macOS: Check in client UI under Settings > General

Verify Fix Applied:

Verify client version is 3.16.5 or higher in Settings > General. Test manual file locking in encrypted directory and confirm no unencrypted path transmission in server logs.

📡 Detection & Monitoring

Log Indicators:

Server logs showing file paths from encrypted directories during manual lock operations

Network Indicators:

Unencrypted file path transmissions in client-server communications

SIEM Query:

source="nextcloud_server" AND (message="file_lock" OR message="manual_lock") AND path CONTAINS "/e2e/"

📊 Metadata

CVE ID: CVE-2025-66549

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

CWE: CWE-209

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: December 5, 2025

Last Updated: December 9, 2025

🔗 References

https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6 Patch
https://github.com/nextcloud/desktop/pull/8330 Issue Tracking
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw Patch,Vendor Advisory
https://hackerone.com/reports/3159877 Permissions Required,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66549, you might also want to check these: