AIKIDO-2025-10412
github.com/filebrowser/filebrowser/v2 is vulnerable to Remote Code Execution (RCE)
91
Critical Risk
This Affects:
github.com/filebrowser/filebrowser/v2TL;DR
Affected versions of this package are vulnerable to Remote Code Execution (RCE) due to multiple unresolved flaws in the command execution functionality, which is enabled by default. If an attacker gains access to any user account, they can exploit these vulnerabilities to inject and execute arbitrary system commands. It could lead to a complete system takeover, cryptocurrency mining, or the retrieval of malicious payloads from external domains. Although the maintainers have disabled this feature by default in the patched version, any installations made before the update remain exposed unless manually secured.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range or if you did not explicitly disable the command execution feature with --disable-exec=true.
Background info
github.com/filebrowser/filebrowser/v2 is vulnerable to Remote Code Execution (RCE) in versions 2.0.0 - 2.33.7.
How to fix this
Upgrade the github.com/filebrowser/filebrowser/v2 library to the patch version or disable the command execution feature with --disable-exec=true.
Background Info
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant