{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53826", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-09T14:14:52.530Z", "datePublished": "2025-07-15T18:12:24.289Z", "dateUpdated": "2025-07-15T18:37:40.098Z"}, "containers": {"cna": {"title": "FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout", "problemTypes": [{"descriptions": [{"cweId": "CWE-305", "lang": "en", "description": "CWE-305: Authentication Bypass by Primary Weakness", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-385", "lang": "en", "description": "CWE-385: Covert Timing Channel", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-613", "lang": "en", "description": "CWE-613: Insufficient Session Expiration", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"}, {"name": "https://github.com/filebrowser/filebrowser/issues/5216", "tags": ["x_refsource_MISC"], "url": "https://github.com/filebrowser/filebrowser/issues/5216"}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"version": "= 2.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-15T18:12:24.289Z"}, "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser\u2019s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist."}], "source": {"advisory": "GHSA-7xwp-2cpp-p8r7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-15T18:37:37.261625Z", "id": "CVE-2025-53826", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T18:37:40.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53826", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-15T18:37:37.261625Z"}}}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-15T18:37:28.657Z"}}], "cna": {"title": "FileBrowser Has Insecure JWT Handling Which Allows Session Replay Attacks after Logout", "source": {"advisory": "GHSA-7xwp-2cpp-p8r7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "filebrowser", "product": "filebrowser", "versions": [{"status": "affected", "version": "= 2.39.0"}]}], "references": [{"url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7", "name": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/filebrowser/filebrowser/issues/5216", "name": "https://github.com/filebrowser/filebrowser/issues/5216", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser\u2019s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-305", "description": "CWE-305: Authentication Bypass by Primary Weakness"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-385", "description": "CWE-385: Covert Timing Channel"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613: Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-15T18:12:24.289Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53826", "state": "PUBLISHED", "dateUpdated": "2025-07-15T18:37:40.098Z", "dateReserved": "2025-07-09T14:14:52.530Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-15T18:12:24.289Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:filebrowser:filebrowser:2.39.0:*:*:*:*:*:*:*", "matchCriteriaId": "BCC88FEF-CBF9-41E6-862B-236EB9750ED5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser\u2019s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. As of time of publication, no known patches exist."}, {"lang": "es", "value": "File Browser proporciona una interfaz de gesti\u00f3n de archivos dentro de un directorio espec\u00edfico y permite cargar, eliminar, previsualizar, renombrar y editar archivos. En la versi\u00f3n 2.39.0, el sistema de autenticaci\u00f3n del Explorador de Archivos emite tokens JWT de larga duraci\u00f3n que siguen siendo v\u00e1lidos incluso despu\u00e9s de cerrar la sesi\u00f3n. Al momento de la publicaci\u00f3n, no se conoc\u00edan parches."}], "id": "CVE-2025-53826", "lastModified": "2025-08-05T18:26:27.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-07-15T18:15:24.127", "references": [{"source": "security-advisories@github.com", "tags": ["Issue Tracking"], "url": "https://github.com/filebrowser/filebrowser/issues/5216"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-7xwp-2cpp-p8r7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-305"}, {"lang": "en", "value": "CWE-385"}, {"lang": "en", "value": "CWE-613"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-07-16T21:35:23.773767+00:00", "updated": "2025-07-16T21:35:23.773819+00:00", "vendors": ["filebrowser", "filebrowser$PRODUCT$filebrowser"]}