logo

Database

Server side cross-site scripting In github.com/filebrowser/filebrowser

Description

filebrowser allows Stored Cross-Site Scripting through the Markdown preview function

Summary

The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser

Impact

A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.

Malicious actions that are possible include:

    Obtaining a user's session token

    Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)

Vulnerability Description

Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called xss.md with the following content:

# Hallo

<b>foo</b>

<img src="xx" onerror=alert(9)>
<i>bar</i>

Bold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the onerror event handler.

Proof of Concept

The screenshot shows that the code from the file mentioned above has actually been executed in the victim's browser:

JavaScript code being executed in the Markdown Preview

Recommended Countermeasures

The most thorough fix would be to reconfigure the application's Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a Content Security Policy (CSP).

Timeline

    2025-03-25 Identified the vulnerability in version 2.32.0

    2025-04-11 Contacted the project

    2025-04-18 Vulnerability disclosed to the project

    2025-06-25 Uploaded advisories to the project's GitHub repository

    2025-06-26 CVE ID assigned by GitHub

    2025-06-26 Fix released with version 2.33.7

References

Credits

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-529022. NVD-2025-529023. OSV-2025-529024. GHSA-4wx8-5gm2-2j975. GCVE-2025-52902

References

1. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-4wx8-5gm2-2j972. https://github.com/filebrowser/filebrowser/commit/f19943a42e8e092e811dffbe9f4623dac36f1f0d3. https://github.com/sbaresearch/advisories/tree/public/2025/SBA-ADV-20250325-04_Filebrowser_Stored_XSS4. https://pkg.go.dev/vuln/GO-2025-3784

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.