CVE-2025-66545 - Vulnerability Details

CVE-2025-66545 - Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin

Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

No data.

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58
https://github.com/nextcloud/groupfolders/issues/4041
https://github.com/nextcloud/groupfolders/pull/4076
https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m

History

Fri, 05 Dec 2025 18:00:00 +0000

Type	Values Removed	Values Added
Description		Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.
Title		Nextcloud Groupfolders users with read-only permissions for team folder can restore deleted files from trash bin
Weaknesses		CWE-707
References		https://github.com/nextcloud/groupfolders/commit/bbe87ebed8da23e9df4db637a76fbc8d36439d58 https://github.com/nextcloud/groupfolders/issues/4041 https://github.com/nextcloud/groupfolders/pull/4076 https://github.com/nextcloud/security-advisories/security/advisories/GHSA-2vrq-fhmf-c49m
Metrics		cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2025-12-05T17:44:13.312Z

Updated: 2025-12-05T17:44:13.312Z

Reserved: 2025-12-04T15:52:26.549Z

Link: CVE-2025-66545

Vulnrichment

No data.

NVD

Status : Received

Published: 2025-12-05T18:15:57.803

Modified: 2025-12-05T18:15:57.803

Link: CVE-2025-66545

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-707

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object