CVE-2025-52996: 
Wolfi vulnerability analysis and mitigation

File Browser versions 2.32.0 and prior contain a vulnerability in the implementation of password-protected file sharing links (CVE-2025-52996). The vulnerability allows potential unprotected sharing of files through direct download links, which can be shared unknowingly by users or discovered from various locations such as browser history or proxy server logs. The vulnerability was discovered on March 27, 2025, and was publicly disclosed on June 29, 2025 (GitHub Advisory).

The vulnerability stems from the application's file sharing mechanism which generates two different types of links: a share link and a direct download link. While the share link requires password authentication, the direct download link contains a token that bypasses the password protection entirely. The vulnerability has been assigned a CVSS v3.1 base score of 3.1 (LOW) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N. It is classified as CWE-305: Authentication Bypass by Primary Weakness (GitHub Advisory).

The vulnerability can lead to unauthorized access to shared files, bypassing password protection. File owners might incorrectly assume their shared files are only accessible to persons knowing the defined password, creating a false sense of security. Attackers who gain access to the unprotected link can download potentially sensitive files without requiring the password (GitHub Advisory).

A partial mitigation was released in version 2.34.2 to address user error by removing the second link from the GUI when creating a password-protected share. However, this solution does not completely resolve the issue as unprotected links may still remain in various logs. A more comprehensive fix is being tracked through Issue #5239, which aims to eliminate unprotected links entirely and ensure file access is only granted to requests containing the share password (GitHub Advisory, GitHub Issue).