N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-53826

GHSA ID

GHSA-7xwp-2cpp-p8r7

EPSS Score

0.1958%

CWE

CWE-305

Published

7/16/2025

Updated

7/16/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-53826

CVE-2025-53826: File Browser’s insecure JWT handling can lead to session replay attacks after logout

Summary

File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs out. Please refer to the CWE's listed in this report for further reference and system standards. In summary, the main issue is:

Tokens remain valid after logout (session replay attacks)

In this report, I used docker as the documentation instruct:

docker run \
    -v filebrowser_data:/srv \
    -v filebrowser_database:/database \
    -v filebrowser_config:/config \
    -p 8080:80 \
    filebrowser/filebrowser

Details

Issue: Tokens remain valid after logout (session replay attacks)

After logging in and receiving a JWT token, the user can explicitly "log out." However, this action does not invalidate the issued JWT. Any captured token can be replayed post-logout until it expires naturally. The backend does not track active sessions or invalidate existing tokens on logout. Login request:

POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69

{"username":"admin","password":"password-here","recaptcha":""}

The check found in the code https://github.com/filebrowser/filebrowser/blob/master/http/auth.go is not enough. There is no server-side blacklist or token invalidation on logout. Token renewal and validity only depends on expiry and user store timestamps:

expired := !tk.VerifyExpiresAt(time.Now().Add(time.Hour), true)
updated := tk.IssuedAt != nil && tk.IssuedAt.Unix() < d.store.Users.LastUpdate(tk.User.ID)

PoC

Issue: Tokens remain valid after logout (session replay attacks)

POST /api/login HTTP/1.1
Host: machine.local:8090
Content-Length: 69

{"username":"admin","password":"password-here","recaptcha":""}

Logout in the dashboard. And then try to use the old generated JWT to access any authenticated endpoint eg:

GET /api/resources HTTP/1.1
Host: machine.local:8090
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Safari/537.36
X-Auth: Old-JWT-token-here
Content-Length: 173
Accept: */*
Referer: http://machine.local:8090/files/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Content-Length: 26

Connection: keep-alive

Impact

A valid JWT remains active after user logout.
If stolen, tokens persist access indefinitely until expiry.
Violates OWASP Top 10 A2:2021 - Broken Authentication.

Recommendations

Read all CWE's attached in this report
Invalidate JWTs on logout via session store / token blacklist.
Reduce JWT ExpiresAt where possible or use short-lived + refresh tokens.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-53826

CVE-2025-53826:

N/A

CVSS Score

-

CVSS Score

Basic Information

CVE ID

CVE-2025-53826

GHSA ID

GHSA-7xwp-2cpp-p8r7

EPSS Score

0.1958%

CWE

CWE-305

Published

7/16/2025

Updated

7/16/2025

KEV Status

Technology

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/filebrowser/filebrowser	go	<= 2.39.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

An analysis of the provided Go code from filebrowser/filebrowser reveals a critical vulnerability in its authentication mechanism. The core of the issue lies in how JSON Web Tokens (JWTs) are managed, specifically the lack of a server-side invalidation process upon user logout. This allows for session replay attacks using JWTs that are still valid even after a user has explicitly logged out.

The function http.withUser serves as a middleware for authenticating user requests. Its responsibility is to validate the JWT presented by the user. However, its validation logic is insufficient. It primarily checks for two conditions:

Token expiration.
Whether the user's profile has been updated since the token was issued.

Crucially, it does not consult a token blacklist or any other mechanism to determine if the user has logged out. Consequently, any JWT, once issued, remains valid until its natural expiration, regardless of logout events. An attacker who captures a user's JWT can therefore continue to access the system on their behalf.

The http.loginHandler function is the entry point for this vulnerability. It authenticates users and, upon success, calls http.printToken to generate and issue the JWT. This token is then susceptible to the replay attack.

Similarly, the http.renewHandler is also implicated. It allows a user with a valid, soon-to-expire token to obtain a new one. This is part of the token lifecycle management that is missing the critical invalidation step.

To mitigate this vulnerability, the application should implement a server-side mechanism to track active sessions or maintain a blacklist of invalidated tokens. When a user logs out, their token should be added to this blacklist. The http.withUser function must then be updated to check this blacklist during token validation, ensuring that logged-out sessions cannot be reused.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

N/A

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-53826: File Browser’s insecure JWT handling can lead to session replay attacks after logout

Summary

Details

PoC

Impact

Recommendations

CVE-2025-53826:

N/A

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

N/A

N/A

Technical Details

CVE-2025-53826: File Browser’s insecure JWT handling can lead to session replay attacks after logout

Summary

Details

PoC

Impact

Recommendations

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI