SecuriTricks - CVE-2025-53826

Description

File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist.

Product(s) Impacted

Vendor	Product	Versions
File Browser	File Browser	2.39.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-305

Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	file_browser	file_browser	2.39.0	/	/	/	/	/	/	/

References

https://github.com/filebrowser/filebrowser/issues/5216

https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7

CVSS Score

7.7 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: NONE
Privileges Required: NONE
User Interaction: NONE
Scope:
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE
Exploit Maturity: PROOF_OF_CONCEPT

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: July 15, 2025, 6:15 p.m.
Last Modified: July 15, 2025, 8:07 p.m.

Status : Awaiting Analysis

CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.

More info

Source

security-advisories@github.com

CVE-2025-53826