CVE-2025-66549: Nextcloud Desktop Leaks File Paths During Encryption – Update Now!

Overview

CVE-2025-66549 is a low-severity vulnerability affecting Nextcloud Desktop, the desktop sync client for Nextcloud. Prior to version 3.16.5, when a user attempted to manually lock a file within an end-to-end encrypted directory, the file’s path was transmitted to the server without encryption. This exposed the file path to administrators via server log files.

This advisory provides details about the vulnerability, its potential impact, and the steps required to mitigate the risk. This issue has been fixed in version 3.16.5 of Nextcloud Desktop.

Technical Details

The vulnerability stemmed from the lack of proper encryption when handling file paths during manual file locking operations within end-to-end encrypted directories. Specifically, when a user initiated a manual lock, the Nextcloud Desktop client sent the path of the file to the server. Due to a coding oversight, this path was not encrypted before transmission, making it visible to server administrators with access to server logs.

While the contents of the file remained encrypted, the file name and location were exposed, potentially revealing sensitive information about the user’s file structure and data organization.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-66549 a score of 2.4, indicating a LOW severity. The CVSS vector string would likely be AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N.

• Attack Vector (AV:N): Network – The vulnerability is exploitable over the network.
• Attack Complexity (AC:L): Low – Exploitation requires little to no specialized access conditions or circumstances.
• Privileges Required (PR:H): High – An attacker would typically require administrative access or higher privileges on the Nextcloud server.
• User Interaction (UI:N): None – No user interaction is required to exploit this vulnerability.
• Scope (S:U): Unchanged – An exploited vulnerability cannot affect resources beyond the attacker’s control.
• Confidentiality (C:L): Low – There is a limited compromise of confidentiality. Sensitive information might be disclosed.
• Integrity (I:N): None – There is no impact to integrity.
• Availability (A:N): None – There is no impact to availability.

Possible Impact

Although classified as low severity, the unencrypted file path leak could have the following impact:

• Information Disclosure: Server administrators could potentially learn sensitive information about users’ file structures and the types of data stored within their Nextcloud instance.
• Targeted Attacks: The revealed file paths could be used to target specific files or users for more sophisticated attacks, although the files themselves would remain encrypted.
• Privacy Concerns: The exposure of file paths, even without revealing the content, raises privacy concerns for users relying on end-to-end encryption for data protection.

It’s important to note that the exploit requires access to server logs, which are typically restricted to administrators.

Mitigation and Patch Steps

The vulnerability is resolved in Nextcloud Desktop version 3.16.5. To mitigate the risk, users should:

1. Upgrade Nextcloud Desktop: Immediately update to version 3.16.5 or later. This can typically be done through the client’s built-in update mechanism or by downloading the latest version from the Nextcloud website.
2. Verify the Update: After updating, confirm that the correct version is installed to ensure the fix is in place.

References

• Commit 36d6c234d42b06a6f2e9de3e413a5c3c625edad6 on GitHub
• Pull Request 8330 on GitHub
• Nextcloud Security Advisory: GHSA-h9xj-qh76-q3hw
• HackerOne Report #3159877