MeldSecurity
Press Enter to search
CVE Database & Search โ†’
Sign In Get Started

CVE-2025-62509

๐Ÿ”ด HIGH

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRiseโ€™s file/folder handling allows low-priv...

Published
Oct 20, 2025
Last Modified
Oct 21, 2025
Views
1
Bookmarks
0

Description

Request Expert Review

FileRise is a self-hosted web-based file manager with multi-file upload, editing, and batch operations. Prior to version 1.4.0, a business logic flaw in FileRiseโ€™s file/folder handling allows low-privilege users to perform unauthorized operations (view/delete/modify) on files created by other users. The root cause was inferring ownership/visibility from folder names (e.g., a folder named after a username) and missing server-side authorization/ownership checks across file operation endpoints. This amounted to an IDOR pattern: an attacker could operate on resources identified only by predictable names. This issue has been patched in version 1.4.0 and further hardened in version 1.5.0. A workaround for this issue involves restricting non-admin users to read-only or disable delete/rename APIs server-side, avoid creating top-level folders named after other usernames, and adding server-side checks that verify ownership before delete/rename/move.

CVSS Scores

CVSS 3.1 8.1
8.1
HIGH
CVSS 2.0 8.1

References

github.com github.com github.com

Additional Information

Source
security-advisories@github.com
State
Awaiting analysis

Related CVEs

CVE-2025-4522

MEDIUM

The IDonate โ€“ Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the admin...

Score: 6.5

CVE-2025-4519

HIGH

The IDonate โ€“ Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Privilege Escalation due to a missing capabili...

Score: 8.8

CVE-2025-12352

CRITICAL

The Gravity Forms plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the copy_post_image() function i...

Score: 9.8

CVE-2025-64323

MEDIUM

kgateway is a Cloud-Native API and AI Gateway. Versions 2.0.4 and below and 2.1.0-agw-cel-rbac through 2.1.0-rc.2 lack authentication, allowing any cl...

Score: 5.3

CVE-2025-64184

HIGH

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from dif...

Score: 8.8

CVE-2025-64180

CRITICAL

Manager-io/Manager is accounting software. In Manager Desktop and Server versions 25.11.1.3085 and below, a critical vulnerability permits unauthorize...

Score: 10.0

Share CVE-2025-62509

Share on Social Media

Copy Link

Embed Code

Request Expert Analysis

Request a professional security analysis for CVE-2025-62509 from our verified experts.

Credits System

Use your credits to get expert analysis from verified security professionals. Purchase more credits anytime!

Add 3 credits for accelerated delivery

Base Cost: 8 credits
Priority Upgrade: + credits
SLA Acceleration: +3 credits
Total Cost:
Your Balance:

Insufficient Credits

You need more credits to submit this request.

Buy Credits

Report Analysis