CVE-2025-52995: 
vulnerability analysis and mitigation

File Browser provides a file managing interface within a specified directory that can be used to upload, delete, preview, rename and edit files. A critical vulnerability (CVE-2025-52995) was discovered in versions prior to 2.33.10, where the implementation of the command execution allowlist was found to be erroneous. The vulnerability was disclosed on June 30, 2025, affecting the command execution feature of File Browser (GitHub Advisory).

The vulnerability is classified as an Improper Neutralization of Special Elements used in a Command (Command Injection) vulnerability (CWE-77). It has received a CVSS v3.1 Base Score of 8.0 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). The technical issue lies in the implementation of the allowlist verification system, which incorrectly validates commands using partial matching instead of exact matching, allowing users to execute unauthorized shell commands (GitHub Advisory).

If exploited, this vulnerability allows users to execute more shell commands than they are authorized for. The concrete impact depends on the commands configured and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, an attacker could potentially gain access to all files managed by the application, including the File Browser database (GitHub Advisory).

The vulnerability has been patched in File Browser version 2.33.10. Users of affected versions are strongly advised to upgrade to this version or later. The fix implements proper command validation to ensure exact matching of allowed commands instead of partial matching (GitHub Advisory, GitHub Release).