Cybersecurity Vulnerabilities

CVE-2025-65963: Unauthenticated File Upload Vulnerability in HumHub CFiles Module

November 26, 2025 - By 

Overview

CVE-2025-65963 is a medium severity vulnerability affecting the CFiles module in HumHub, a free social network software. Specifically, it impacts versions prior to 0.16.11 and 0.17.2. This vulnerability allows non-member users to create new folders and upload files as a ZIP archive in public spaces due to insufficient authorization checks. Private spaces are not affected.

Technical Details

The root cause of this vulnerability lies in the inadequate authorization mechanisms within the CFiles module. When handling requests to create folders or upload files in public spaces, the system fails to properly verify if the user making the request is a member of the space. This oversight enables unauthorized users to bypass security restrictions and perform actions they should not be permitted to do.

The vulnerability specifically affects the ability to create new folders and upload files in ZIP archive format. This could potentially allow an attacker to upload malicious code, sensitive data, or otherwise compromise the integrity and availability of the HumHub instance.

CVSS Analysis

  • Severity: MEDIUM
  • CVSS Score: 5.4

A CVSS score of 5.4 indicates a medium severity vulnerability. While exploitation requires a public space to be configured, and private spaces are unaffected, the ease of exploitation makes it significant. The potential impact includes data corruption and possible system compromise.

Possible Impact

Exploitation of CVE-2025-65963 can lead to several negative consequences:

  • Malicious File Upload: Attackers can upload malicious scripts (e.g., PHP, JavaScript) disguised within ZIP archives, potentially leading to remote code execution (RCE) if executed.
  • Data Corruption: Unauthorized file uploads can corrupt existing data within the HumHub instance.
  • Information Disclosure: Attackers might upload files containing sensitive information, leading to unauthorized access to confidential data.
  • Denial of Service (DoS): Uploading large files can consume server resources, potentially leading to a denial-of-service condition.

Mitigation and Patch Steps

The vulnerability has been patched in the following versions:

  • Version 0.16.11
  • Version 0.17.2

To mitigate the risk, it is highly recommended to upgrade your HumHub CFiles module to one of these versions, or a later version, as soon as possible. If upgrading is not immediately possible, consider disabling the CFiles module for public spaces as a temporary workaround, although this will impact functionality.

Steps to Upgrade:

  1. Log in to your HumHub administration panel.
  2. Navigate to the Modules section.
  3. Locate the CFiles module.
  4. Click the “Update” button if an update is available.
  5. Follow the on-screen instructions to complete the update process.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *