Vulnerability Description
FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder names. Low-privilege users could see or interact with folders matching their username and, in some cases, other users’ content. This issue has been patched in version 1.5.0, where it introduces explicit per-folder ACLs (owners/read/write/share/read_own) and strict server-side checks across list, read, write, share, rename, copy/move, zip, and WebDAV paths.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Filerise | Filerise | < 1.5.0 |
Related Weaknesses (CWE)
References
- https://github.com/error311/FileRise/commit/b6d86b78967baa2f5a1e191903fc4df13998Patch
- https://github.com/error311/FileRise/issues/55Issue Tracking
- https://github.com/error311/FileRise/security/advisories/GHSA-jm96-2w52-5qjjVendor Advisory
FAQ
What is CVE-2025-62510?
CVE-2025-62510 is a vulnerability with a CVSS score of 8.1 (HIGH). FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. In version 1.4.0, a regression allowed folder visibility/ownership to be inferred from folder na...
How severe is CVE-2025-62510?
CVE-2025-62510 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-62510?
Check the references section above for vendor advisories and patch information. Affected products include: Filerise Filerise.