filebrowser allows Stored Cross-Site Scripting through the Markdown preview function

Description

Summary

The Markdown preview function of File Browser v2.32.0 is vulnerable to Stored Cross-Site-Scripting (XSS). Any JavaScript code that is part of a Markdown file uploaded by a user will be executed by the browser

Impact

A user can upload a malicious Markdown file to the application which can contain arbitrary HTML code. If another user within the same scope clicks on that file, a rendered preview is opened. JavaScript code that has been included will be executed.

Malicious actions that are possible include:

  • Obtaining a user's session token
  • Elevating the attacker's privileges, if the victim is an administrator (e.g., gaining command execution rights)

Vulnerability Description

Most Markdown parsers accept arbitrary HTML in a document and try rendering it accordingly. For instance, if one creates a file called xss.md with the following content:

# Hallo

<b>foo</b>

<img src="xx" onerror=alert(9)>
<i>bar</i>

Bold and italic text will be rendered. Also, the renderer used in File Browser will try to display the image and execute the code in the onerror event handler.

Proof of Concept

The screenshot shows that the code from the file mentioned above has actually been executed in the victim's browser:

JavaScript code being executed in the Markdown Preview

Recommended Countermeasures

The most thorough fix would be to reconfigure the application's Markdown parser to ignore all HTML elements and only render rich text which is part of the Markdown specification. If HTML rendering is considered to be a required feature, an HTML sanitizer like DOMPurify should be used, preferably in conjunction with a Content Security Policy (CSP).

Timeline

  • 2025-03-25 Identified the vulnerability in version 2.32.0
  • 2025-04-11 Contacted the project
  • 2025-04-18 Vulnerability disclosed to the project
  • 2025-06-25 Uploaded advisories to the project's GitHub repository
  • 2025-06-26 CVE ID assigned by GitHub
  • 2025-06-26 Fix released with version 2.33.7

References

Credits

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-06-27 15:01:15 UTC
Updated
2025-08-04 20:33:16 UTC
GitHub reviewed
2025-06-27 15:01:15 UTC
NVD published
2025-06-26

EPSS Score

Score Percentile
0.05% 14.06%

CVSS Scores

Base score Version Severity Vector
7.6 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Credits

  • mtausig (reporter)
  • hacdias (remediation_developer)

Affected packages (2)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/filebrowser/filebrowser/v2 < 2.33.7 2.33.7
go github.com/filebrowser/filebrowser <= 1.11.0

References

cvelogic Threat Intelligence