DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-25890: CVE-2026-25890: The Double-Slash Bypass in File Browser

#security #cve #cybersecurity

CVE-2026-25890: The Double-Slash Bypass in File Browser

Vulnerability ID: CVE-2026-25890
CVSS Score: 8.1
Published: 2026-02-10

A high-severity path traversal and authorization bypass vulnerability exists in File Browser versions prior to 2.57.1. Due to improper URL normalization settings in the Gorilla Mux router, specifically the use of SkipClean(true), the application fails to sanitize request paths before evaluating security rules. This discrepancy allows authenticated users to bypass 'Disallow' file restrictions simply by prepending an extra slash (e.g., //private/) to the URL. While the application logic sees the path as safe, the underlying filesystem resolves it correctly, granting unauthorized access to sensitive files.

TL;DR

File Browser < 2.57.1 allows users to bypass file access restrictions by adding extra slashes to the URL (e.g., //forbidden). The app's router was told to skip cleaning paths, causing the security check to fail while the OS still serves the file.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-25890
  • CVSS: 8.1 (High)
  • Attack Vector: Network
  • CWE: CWE-706 / CWE-863
  • Fix Version: 2.57.1
  • Impact: Authorization Bypass

Affected Systems

  • File Browser < 2.57.1
  • File Browser: < 2.57.1 (Fixed in: 2.57.1)

Code Analysis

Commit: 489af40

fix: remove skip clean from router

@@ -35,11 +35,6 @@ func NewHandler(
    })
    index, static := getStaticHandlers(store, server, assetsFs)

-   // NOTE: This fixes the issue where it would redirect if people did not put a
-   // trailing slash in the end. I hate this decision since this allows some awful
-   // URLs https://www.gorillatoolkit.org/pkg/mux#Router.SkipClean
-   r = r.SkipClean(true)
-
    monkey := func(fn handleFunc, prefix string) http.Handler {
        return handle(fn, prefix, store, server)
    }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Update to patched version
  • Implement WAF rules to normalize paths
  • Configure reverse proxy to merge slashes

Remediation Steps:

  1. Stop the running File Browser instance.
  2. Download the v2.57.1 binary from the official GitHub releases page.
  3. Replace the old binary with the new one.
  4. Restart the service.

References

Read the full report for CVE-2026-25890 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)