CVE-2025-64523
Published: 12 November 2025
Description
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Versions prior to 2.45.1 have an Insecure Direct Object Reference (IDOR) vulnerability in the FileBrowser application's…
more
share deletion functionality. This vulnerability allows any authenticated user with share permissions to delete other users' shared links without authorization checks. The impact is significant as malicious actors can disrupt business operations by systematically removing shared files and links. This leads to denial of service for legitimate users, potential data loss in collaborative environments, and breach of data confidentiality agreements. In organizational settings, this could affect critical file sharing for projects, presentations, or document collaboration. Version 2.45.1 contains a fix for the issue.
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations, directly addressing the missing authorization checks in FileBrowser's share deletion functionality to prevent IDOR exploitation.
AC-24 requires explicit authorization decisions for specific system resources like shared links, countering the bypass allowing any share-permission user to delete others' links.
AC-6 enforces least privilege, limiting authenticated users to only necessary actions on their own shared links and preventing broad deletion capabilities.
Security SummaryAI
CVE-2025-64523 is an Insecure Direct Object Reference (IDOR) vulnerability, associated with CWE-285 (Improper Authorization) and CWE-639 (Authorization Bypass Through User-Controlled Key), affecting the FileBrowser application in versions prior to 2.45.1. FileBrowser is a web-based file management interface that enables users to upload, delete, preview, rename, and edit files within a specified directory. The flaw resides specifically in the share deletion functionality, where insufficient authorization checks allow improper access to shared links.
The vulnerability can be exploited over the network by any authenticated user who possesses share permissions, requiring low privileges (PR:L) and no user interaction (UI:N), with a CVSS v3.1 base score of 8.8 indicating high severity due to impacts on confidentiality (C:H), integrity (I:H), and availability (A:H). Attackers can delete other users' shared links without authorization, enabling systematic removal of shared files and links. This results in denial of service for legitimate users, potential data loss in collaborative environments, and breaches of data confidentiality agreements, disrupting business operations such as project file sharing, presentations, or document collaboration.
Mitigation is addressed in FileBrowser version 2.45.1, which contains a fix for the issue, as detailed in the GitHub security advisory GHSA-6cqf-cfhv-659g and the corresponding commit 291223b3cefe1e50fae8f73d70464b1dc25351a4. Security practitioners should upgrade to version 2.45.1 or later and review access controls on share permissions to prevent exploitation.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in web-based FileBrowser enables remote exploitation of a public-facing application (T1190) to unauthorizedly delete shared links/files, facilitating data destruction via removal and denial of access (T1485).