How severe is GHSA-jj2r-455p-5gvf?

GHSA-jj2r-455p-5gvf has a CVSS score of 5.5/10, rated MEDIUM. Review your exposure and patch according to your risk tolerance.

Which packages are affected by GHSA-jj2r-455p-5gvf?

GHSA-jj2r-455p-5gvf affects the following packages: github.com/filebrowser/filebrowser/v2 (Go), github.com/filebrowser/filebrowser (Go). Ecosystems affected: Go.

How do I fix GHSA-jj2r-455p-5gvf?

Update github.com/filebrowser/filebrowser/v2 to 2.33.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jj2r-455p-5gvf is resolved across your whole dependency graph.

How do I detect GHSA-jj2r-455p-5gvf in my Go dependencies?

Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/filebrowser/filebrowser/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.

How do I mitigate GHSA-jj2r-455p-5gvf if there is no patch (or I can't update yet)?

If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.

How does O3 Security protect against GHSA-jj2r-455p-5gvf?

O3 pinpoints whether GHSA-jj2r-455p-5gvf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Is GHSA-jj2r-455p-5gvf actively exploited in the wild?

No public exploit code has been indexed for GHSA-jj2r-455p-5gvf yet. This does not mean the vulnerability cannot be exploited — absence of public exploits does not imply safety. Apply the recommended fix and use O3 Security to monitor your exposure.

What is the EPSS score for GHSA-jj2r-455p-5gvf?

GHSA-jj2r-455p-5gvf has an EPSS (Exploit Prediction Scoring System) score of 0.2%, placing it in the 9th percentile of all CVEs. EPSS is maintained by FIRST.org and estimates the probability that a vulnerability will be exploited in the wild within the next 30 days. This score indicates relatively lower exploitation probability, though the CVSS severity should still guide your patching priority.

What type of vulnerability is GHSA-jj2r-455p-5gvf?

GHSA-jj2r-455p-5gvf is classified as Incorrect Default Permissions (CWE-276). This weakness type describe the underlying flaw category, which helps determine the potential impact and the right class of mitigation.

When was GHSA-jj2r-455p-5gvf published, and has it been updated?

GHSA-jj2r-455p-5gvf was published on June 27, 2025 and was last updated on August 4, 2025. Advisory data evolves as severity scores, affected ranges, and exploit intelligence are revised — always check the latest version of the advisory before acting.

🐹 Go

GHSA-jj2r-455p-5gvf

MEDIUM

filebrowser Sets Insecure File Permissions

Also known asCVE-2025-52900GO-2025-3785

Published

Jun 27, 2025

Updated

Aug 4, 2025

Affected

2 pkgs

Patched

1 / 2

Exploits

None indexed

EPSS Exploitation Probability

via FIRST.org ↗

0.2%probability of exploitation in next 30 days

Lower Risk9th percentile+0.11%

EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.

Blast Radius

2 pkgs affected

🐹github.com/filebrowser/filebrowser/v2🐹github.com/filebrowser/filebrowser

Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Go packages — download data is not available via public APIs for these ecosystems.

Description

Summary

The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the umask configuration has not been hardened before, this makes all the stated files readable by any operating system account.

Impact

The default permissions for new files on a standard Linux system are 0644, making them world-readable. That means that at least the following parties have full read access to all files managed by the Filebrowser from all scopes, as well as its database (including the password hashes stored in there):

All OS accounts on the server
All other applications running on the same server
Any Filebrowser user with Command Execution privileges having access to a command that allows reading a file's content

Vulnerability Description

On a Linux system, the file access permissions of new files are designated by the system wide umask setting, unless they are configured manually. Most distributions set this value to 022 by default which gives every account on the system read permissions on the file.

$ umask
022
$ touch foo
$ ls -l foo
-rw-r--r-- 1 sba sba 0 31. Mär 15:08 foo

Proof of Concept

Upload or create a file in the Filebrowser GUI and list the directory contents from a shell:

$ ls -l /srv/filebrowser/testdir
total 12
-rw-r--r-- 1 sba sba 7703 Mar 25 16:07 dummy1.pdf
-rw-r--r-- 1 sba sba    3 Mar 25 15:46 testfile.txt

The same can be validated for Docker based deployments within the container:

$ docker exec -it e0f075082a2c ls /srv/testdir -l
total 12
-rw-r--r--    1 1000     1000          7703 Mar 25 15:07 dummy1.pdf
-rw-r--r--    1 1000     1000             3 Mar 25 14:46 testfile.txt

Furthermore, the database used by the Filebrowser application is readable by any account:

$ ls -l /srv/filebrowser/filebrowser.db 
-rw-rw-r-- 1 sba sba 65536 Mar 25 09:58 /srv/filebrowser/filebrowser.db

Recommended Countermeasures

Since the system's umask configuration cannot be controlled by the Filebrowser, the application needs to set the permissions of all new files manually upon creation. No permissions should be given to the other category.

Implementing this won't fix the permissions for active instances after an update, so site administrators will need to fix the permissions manually:

$ chmod o-rwx -R /srv/filebrowser/datadir

Timeline

2025-03-25 Identified the vulnerability in version 2.32.0
2025-04-11 Contacted the project
2025-04-18 Vulnerability disclosed to the project
2025-06-25 Uploaded advisories to the project's GitHub repository
2025-06-26 CVE ID assigned by GitHub
2025-06-26 Fix released with version 2.33.7

References

Credits

Mathias Tausig (SBA Research)

Affected Packages

2 total 1 fixed

Ecosystem	Package	Vulnerable range	Fix
🐹Go	`github.com/filebrowser/filebrowser/v2`	all versions	2.33.7
🐹Go	`github.com/filebrowser/filebrowser`	all versions	No fix

Detection & mitigation playbook

Open-source dependency

Detect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for github.com/filebrowser/filebrowser/v2. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update github.com/filebrowser/filebrowser/v2 to 2.33.7 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-jj2r-455p-5gvf is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-jj2r-455p-5gvf is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.

Tailored to GHSA-jj2r-455p-5gvf. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.

Frequently Asked Questions

## Summary ## The file access permissions for files uploaded to or created from File Browser are never explicitly set by the application. The same is true for the database used by File Browser. On standard servers where the *umask* configuration has not been hardened before, this makes all the stated files readable by any operating system account. ## Impact ## The default permissions for new files on a standard Linux system are `0644`, making them world-readable. That means that at least the following parties have full read access to all files managed by the Filebrowser from all *scopes*, a

O3 Security · Impact-Aware SCA

Is GHSA-jj2r-455p-5gvf in your dependencies?

O3 detects GHSA-jj2r-455p-5gvf across Go dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.

Scan my dependencies How O3 SCA works