CVE-2025-62509

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 1.4.0

Description FileRise is a self-hosted web-based file manager. A flaw in file/folder handling allows low-privilege users to perform unauthorized operations (view, delete, modify) on files created by other users. This is due to inferring ownership/visibility from folder names and missing server-side authorization checks. This issue represents an IDOR (Insecure Direct Object Reference) pattern, where an attacker can operate on resources identified by predictable names. The vulnerable operations occur through file operation endpoints.

Recommendations Update to version 1.4.0 or later. As a workaround, restrict non-admin users to read-only access. As a workaround, disable delete/rename APIs server-side. Avoid creating top-level folders named after other usernames. Add server-side checks to verify ownership before delete, rename, or move operations.