Published: 2025-12-05
Overview
This blog post discusses a security vulnerability, identified as CVE-2025-66545, affecting Nextcloud Groupfolders. This vulnerability allows a user with read-only permissions within a Nextcloud Groupfolder to restore files from the trash bin. This behavior deviates from the intended access control model, potentially leading to unintended data recovery by users who should not have such capabilities.
Technical Details
The vulnerability resides within the Groupfolders application for Nextcloud. Prior to versions 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, the application incorrectly permitted read-only users to interact with the trash bin in a way that allowed them to restore deleted files. The root cause lies in insufficient permission checks when handling trash bin restoration requests. This oversight allowed read-only users to bypass the intended access restrictions.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) assigns a score of 3.5 to CVE-2025-66545, indicating a LOW severity vulnerability. The CVSS vector likely includes the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality Impact (C): None (N)
- Integrity Impact (I): Low (L)
- Availability Impact (A): None (N)
While the CVSS score is low, the potential impact should still be considered, especially within environments with strict data governance policies.
Possible Impact
While the severity is low, the potential impact includes:
- Data Integrity Issues: Read-only users might inadvertently restore outdated or incorrect versions of files, leading to data integrity problems.
- Compliance Violations: If compliance regulations require strict access control and audit trails, unauthorized file restoration could lead to violations.
- Unexpected Data Recovery: Users could restore files that were intentionally deleted for valid reasons, disrupting workflows or causing confusion.
Mitigation or Patch Steps
The recommended mitigation is to upgrade Nextcloud Groupfolders to one of the following versions or later:
- 14.0.11
- 15.3.12
- 16.0.15
- 17.0.14
- 18.1.8
- 19.1.8
- 20.1.2
You can upgrade Groupfolders through the Nextcloud App Store within your Nextcloud instance. After the upgrade, verify that the fix is in place by confirming that read-only users can no longer restore files from the trash bin.
