CVE-2025-52996: 
Wolfi vulnerability analysis and mitigation

File Browser, a file managing interface that provides functionality to upload, delete, preview, rename and edit files, contains a vulnerability in versions 2.32.0 and prior. The vulnerability (CVE-2025-52996) was disclosed on June 29, 2025, and involves an error-prone implementation of password-protected links that could result in potential unprotected sharing of files (GitHub Advisory).

The vulnerability stems from the implementation of the file sharing feature where two different links are generated: a share link and a direct download link. While the share link requires password authentication, the direct download link contains a token that bypasses the password protection. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N, indicating network attack vector, high attack complexity, no privileges required, and user interaction required (GitHub Advisory).

The primary impact is that file owners might have a false sense of security, believing their shared files are only accessible to persons knowing the defined password. Attackers who gain access to the unprotected link can download potentially sensitive files without requiring the password (GitHub Advisory).

A short-term mitigation was implemented in version 2.34.2, which removes the second link from the GUI when creating a password-protected share. However, this only defends against user errors and doesn't address the underlying issue of unprotected links remaining in various logs. A more thorough fix is being tracked through Issue #5239 (GitHub Advisory, GitHub Issue).