ghsa-4wx8-5gm2-2j97
Vulnerability from github
Published
2025-06-27 15:01
Modified
2025-06-27 15:02
Severity ?
7.6 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Summary
filebrowser allows Stored Cross-Site Scripting through the Markdown preview function
Details

Summary

The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser

Impact

A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.

Malicious actions that are possible include:

  • Obtaining a user's session token
  • Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)

Vulnerability Description

Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called xss.md with the following content:

```markdown

Hallo

foo

bar ```

Bold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the onerror event handler.

Proof of Concept

The screenshot shows that the code from the file mentioned above has actually been executed in the victim's browser:

JavaScript code being executed in the Markdown Preview

Recommended Countermeasures

The most thorough fix would be to reconfigure the application's Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a Content Security Policy (CSP).

Timeline

  • 2025-03-25 Identified the vulnerability in version 2.32.0
  • 2025-04-11 Contacted the project
  • 2025-04-18 Vulnerability disclosed to the project
  • 2025-06-25 Uploaded advisories to the project's GitHub repository
  • 2025-06-26 CVE ID assigned by GitHub
  • 2025-06-26 Fix released with version 2.33.7

References

Credits

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.33.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-52902"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-27T15:01:15Z",
    "nvd_published_at": "2025-06-26T15:15:23Z",
    "severity": "HIGH"
  },
  "details": "## Summary ##\n\nThe Markdown preview function of File Browser v2.32.0 is vulnerable to *Stored Cross-Site-Scripting (XSS)*. Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser\n\n## Impact ##\n\nA user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.\n\n Malicious actions that are possible include:\n \n  * Obtaining a user\u0027s session token\n  * Elevating the attacker\u0027s privileges, if the victim is an administrator (e.g., gaining command execution rights)\n\n## Vulnerability Description ##\n\nMost Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called `xss.md` with the following content:\n\n```markdown\n# Hallo\n\n\u003cb\u003efoo\u003c/b\u003e\n\n\u003cimg src=\"xx\" onerror=alert(9)\u003e\n\u003ci\u003ebar\u003c/i\u003e\n```\n\nBold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the `onerror` event handler.\n\n## Proof of Concept ##\n\nThe screenshot shows that the code from the file mentioned above has actually been executed in the victim\u0027s browser:\n\n![JavaScript code being executed in the Markdown Preview](https://github.com/user-attachments/assets/3a3b9920-fbd8-433f-a016-ea77f5f68851)\n\n## Recommended Countermeasures ##\n\nThe most thorough fix would be to reconfigure the application\u0027s Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a *Content Security Policy* (CSP).\n\n## Timeline ##\n\n* `2025-03-25` Identified the vulnerability in version 2.32.0\n* `2025-04-11` Contacted the project\n* `2025-04-18` Vulnerability disclosed to the project\n* `2025-06-25` Uploaded advisories to the project\u0027s GitHub repository\n* `2025-06-26` CVE ID assigned by GitHub\n* `2025-06-26` Fix released with version 2.33.7\n\n## References ##\n\n* [DOMPurify](https://github.com/cure53/DOMPurify)\n\n## Credits ##\n\n* Mathias Tausig ([SBA Research](https://www.sba-research.org/))",
  "id": "GHSA-4wx8-5gm2-2j97",
  "modified": "2025-06-27T15:02:17Z",
  "published": "2025-06-27T15:01:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j97"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52902"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "filebrowser allows Stored Cross-Site Scripting through the Markdown preview function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.