CVE-2025-52902: 
Wolfi vulnerability analysis and mitigation

File Browser, a file managing interface application, was discovered to contain a Stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-52902) in its Markdown preview function. The vulnerability was identified on March 25, 2025, and publicly disclosed on June 26, 2025. The issue affects all versions of File Browser before v2.33.7, where any JavaScript code embedded within a Markdown file uploaded by a user could be executed by the browser (GitHub Advisory).

The vulnerability stems from the application's Markdown parser accepting and rendering arbitrary HTML elements without proper sanitization. When a user uploads a malicious Markdown file containing HTML with embedded JavaScript, the renderer attempts to display the content and executes any included code in the victim's browser context. The vulnerability received a CVSS v3.1 base score of 7.6 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and user interaction required (GitHub Advisory).

The vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers when they view a malicious Markdown file. This can lead to serious security implications including the theft of user session tokens and potential privilege escalation if the victim is an administrator. In cases where administrative access is compromised, the attacker could potentially gain command execution rights (GitHub Advisory).

The vulnerability has been patched in version 2.33.7 through the implementation of DOMPurify, an HTML sanitizer. The fix involves sanitizing the HTML content before rendering it in the preview. Organizations are strongly advised to upgrade to version 2.33.7 or later. For those unable to upgrade immediately, it is recommended to reconfigure the Markdown parser to ignore HTML elements and only render text within the Markdown specification (GitHub Advisory, GitHub Commit).