Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN806
_____________________________________________________________________

DATE                : 17/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running filebrowser versions prior
                                      to 2.45.2.

=====================================================================
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6jqf-mv7m-3q7p
https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6cqf-cfhv-659g
_____________________________________________________________________


Risk of HTTP Request/Response smuggling through vulnerable dependency
Critical
hacdias published GHSA-6jqf-mv7m-3q7p Nov 13, 2025

Package
github.com/filebrowser/filebrowser/v2 (Go)

Affected versions
<= 2.45.1

Patched versions
2.45.2


Description

The standard library net/http package dependency used by File Browser
improperly accepts a bare LF as a line terminator in chunked data
chunk-size lines. I can permit request smuggling if a net/http server
is used in conjunction with a server that incorrectly accepts a bare
LF as part of a chunk-ext.

See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.


Severity
Critical
9.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CVE ID
CVE-2025-22871

Weaknesses
No CWEs


Credits

    @Francesco-Bellomi Francesco-Bellomi Reporter
    @hacdias hacdias Remediation developer

_____________________________________________________________________


Insecure Direct Object Reference (IDOR) in Share Deletion Function
High
hacdias published GHSA-6cqf-cfhv-659g Nov 11, 2025

Package
github.com/filebrowser/filebrowser (Go)

Affected versions
<= 2.45.0

Patched versions
2.45.1


Description

Summary

It has been found an Insecure Direct Object Reference (IDOR)
vulnerability in the FileBrowser application's share deletion
functionality. This vulnerability allows any authenticated user
with share permissions to delete other users' shared links without
authorization checks.

The impact is significant as malicious actors can disrupt business
operations by systematically removing shared files and links. This
leads to denial of service for legitimate users, potential data
loss in collaborative environments, and breach of data
confidentiality agreements. In organizational settings, this could
affect critical file sharing for projects, presentations, or
document collaboration.


Details

Technical Analysis

The vulnerability exists in /http/share.go at lines 72-82. The
shareDeleteHandler function processes deletion requests using only
the share hash without comparing the link.UserID with the current
authenticated user's ID (d.user.ID). This missing authorization
check enables the vulnerability.

var shareDeleteHandler = withPermShare(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {
    hash := strings.TrimSuffir.URL.Path, "/")
    hash = strings.TrimPrefihash, "/")

    if hash == "" {
        return http.StatusBadRequest, nil
    }

    err := d.store.Share.Delete(hash)  // Missing ownership validation
    return errToStatus(err), err
})


PoC

Reproduce Steps:

Prerequisites: Two authenticated user accounts (User A and User B) with
share permissions

Step 1: User A creates a share link and obtains the share hash
(e.g., MEEuZK-v)

Step 2: User B authenticates and obtains a valid JWT token

Step 3: User B sends DELETE request to /api/share/MEEuZK-v with their
own JWT token

Step 4: Observe that User A's share is deleted without authorization

DELETE /api/share/MEEuZK-v HTTP/1.1
Host: filebrowser.local
Content-Type: application/json


Impact

The impact is significant as malicious actors can disrupt business
operations by systematically removing shared files and links. This
leads to denial of service for legitimate users, potential data loss
in collaborative environments, and breach of data confidentiality
agreements. In organizational settings, this could affect critical
file sharing for projects, presentations, or document collaboration.

Severity
High
7.2/ 10

CVSS v4 base metrics
Exploitability Metrics
Attack Vector Network
Attack Complexity Low
Attack Requirements None
Privileges Required Low
User interaction None
Vulnerable System Impact Metrics
Confidentiality Low
Integrity High
Availability High
Subsequent System Impact Metrics
Confidentiality None
Integrity None
Availability None
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N

CVE ID
CVE-2025-64523

Weaknesses
Weakness CWE-285
Weakness CWE-639

Credits

    @bbodisteanu-hacken bbodisteanu-hacken Reporter
    @hacdias hacdias Remediation developer



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================