Filebrowser, JWT Token Leak via URL, CVE-2025-XXXXX (Critical)

By /

Listen to this Post

How the CVE Works

The vulnerability (CVE-2025-XXXXX) in Filebrowser v2.32.0 exposes JSON Web Tokens (JWTs) via URLs when users download files or initiate command sessions. The JWT, used for session authentication, is appended as a GET parameter (?auth=<JWT>). Since URLs are logged in browser history, server logs, and proxy/referrer headers, attackers with access to these logs can steal the token. A compromised JWT grants full account access, enabling unauthorized file operations.

DailyCVE Form

Platform: Filebrowser
Version: 2.32.0
Vulnerability: JWT URL leak
Severity: Critical
Date: 2025-06-26

Prediction: Patch expected by 2025-06-26 (fixed in 2.33.9)

What Undercode Say

Analytics:

Check JWT in logs:
grep "auth=eyJ" /var/log/nginx/access.log
Exploit PoC (curl):
curl -H "Authorization: Bearer <STOLEN_JWT>" http://victim/api/raw/secretfile

How Exploit

1. Extract JWT from proxy logs/browser history.

  1. Use stolen JWT in `Authorization` header to impersonate victim.

Protection from this CVE

  • Upgrade to v2.33.9.
  • Disable token transmission via URLs.
  • Use `HttpOnly` cookies for JWTs.

Impact

  • Full account takeover.
  • Unauthorized file access/modification.

No additional explanations or deviations from the format.

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

πŸ”JOIN OUR CYBER WORLD [ CVE News β€’ HackMonitor β€’ UndercodeNews ]

πŸ’¬ Whatsapp | πŸ’¬ Telegram

πŸ“’ Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | πŸ”— Linkedin Featured Image

Scroll to Top