CVE-2025-52901: 
Wolfi vulnerability analysis and mitigation

CVE-2025-52901 affects File Browser versions prior to 2.33.9, where access tokens are used as GET parameters. The vulnerability involves the exposure of JSON Web Tokens (JWT) used as session identifiers through URLs accessed by users. The vulnerability was discovered on March 27, 2025, disclosed to the project on April 29, 2025, and patched with the release of version 2.33.9 on June 26, 2025 (GitHub Advisory).

The vulnerability is classified as CWE-598 (Use of GET Request Method With Sensitive Query Strings). The CVSS v3.1 base score is 4.5 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N. The issue occurs when sensitive authentication tokens are transmitted as GET parameters in URLs, which is considered a security anti-pattern (GitHub Advisory).

The vulnerability allows attackers with access to URLs accessed by users to obtain JWT session identifiers. This exposure grants full access to a user's account and consequently to all sensitive files the user has access to. The tokens can be leaked through various channels including browser history, server access logs, proxy servers, and third-party servers via HTTP referrer headers (GitHub Advisory).

The vulnerability has been patched in File Browser version 2.33.9. The fix involves removing auth tokens from GET parameters and implementing proper transmission of sensitive data through HTTP headers or the HTTP body only. Users should upgrade to version 2.33.9 or later to address this security issue (GitHub Advisory, Release Notes).