CVE-2025-52995: 
Wolfi vulnerability analysis and mitigation

File Browser, a file managing interface software, was found to contain a critical command execution allowlist bypass vulnerability (CVE-2025-52995) discovered in versions prior to 2.33.10. The vulnerability was disclosed on June 30, 2025, affecting all versions up to and including 2.33.8. The vulnerability allows users to execute more shell commands than they are authorized for due to an erroneous implementation of the command allowlist feature (GitHub Advisory, NVD).

The vulnerability stems from an improper implementation of the command execution allowlist verification in the CanExecute function within users/users.go. The function uses a regular expression that only checks if the issued command contains an allowed command rather than requiring an exact match. For example, if a user is granted access to the 'ls' command, they could also execute 'lsof' and 'lsusb'. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 HIGH with vector string CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H and is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (GitHub Advisory).

The vulnerability could allow authenticated users with execute permissions to bypass command restrictions and execute unauthorized shell commands. Due to the missing separation of scopes at the OS level, successful exploitation could give attackers access to all files managed by the application, including the File Browser database. The concrete impact depends on the commands configured and the binaries installed on the server or in the container image (GitHub Advisory).

The vulnerability has been patched in version 2.33.10, released on June 26, 2025. The fix modifies the CanExecute function to only allow exact matches of specified commands instead of partial matching. Users are strongly advised to upgrade to version 2.33.10 or later (GitHub Release, GitHub Patch).