Vulnerability Description
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nextcloud | Desktop | >= 3.0.0, < 3.16.5 |
Related Weaknesses (CWE)
References
- https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625ePatch
- https://github.com/nextcloud/desktop/pull/8330Issue Tracking
- https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qPatchVendor Advisory
- https://hackerone.com/reports/3159877Permissions RequiredVendor Advisory
FAQ
What is CVE-2025-66549?
CVE-2025-66549 is a vulnerability with a CVSS score of 2.4 (LOW). Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server u...
How severe is CVE-2025-66549?
CVE-2025-66549 has been rated LOW with a CVSS base score of 2.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-66549?
Check the references section above for vendor advisories and patch information. Affected products include: Nextcloud Desktop.