Overview
CVE-2025-66510 is a medium severity vulnerability affecting Nextcloud Server. This vulnerability allows authenticated users to retrieve personal data (emails, names, identifiers) of other users without proper access control via the contacts search functionality. This means a malicious user can potentially gather information about accounts that are not directly related or added as contacts.
Technical Details
The vulnerability resides in how Nextcloud Server handles access control during contacts searches. Specifically, versions prior to 31.0.10 and 32.0.1 of Nextcloud Server, and Nextcloud Enterprise Server versions prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10 are susceptible.
The issue arises because the search function doesn’t adequately enforce the principle of least privilege when returning search results. An authenticated user can initiate a search, and the system, in its vulnerable state, returns more information than it should, including sensitive details about other users even if no direct relationship exists.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-66510 is 4.5, indicating a medium severity. The CVSS vector reflects the following characteristics:
- Attack Vector (AV): Network (N)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): Low (L)
- User Interaction (UI): None (N)
- Scope (S): Unchanged (U)
- Confidentiality (C): Low (L)
- Integrity (I): None (N)
- Availability (A): None (N)
This score indicates that while the vulnerability is remotely exploitable and requires minimal privileges, the impact is primarily limited to a compromise of confidentiality.
Possible Impact
Exploitation of CVE-2025-66510 can have several negative consequences:
- Data Leakage: Exposure of email addresses, names, and user identifiers can lead to phishing attacks, spam campaigns, or social engineering attempts.
- Privacy Violation: Unauthorized access to personal data violates user privacy and can damage trust in the Nextcloud platform.
- Reconnaissance: Attackers can use the exposed information to map out user accounts and relationships within the Nextcloud instance, facilitating further attacks.
Mitigation or Patch Steps
The recommended mitigation is to update your Nextcloud Server to a patched version as soon as possible. Specifically:
- Upgrade Nextcloud Server to version 31.0.10 or later.
- Upgrade Nextcloud Server to version 32.0.1 or later.
- For Nextcloud Enterprise Server users, upgrade to version 28.0.14.11, 29.0.16.8, 30.0.17.3, or 31.0.10 or later.
Applying the latest security patches resolves the underlying access control issue, preventing unauthorized retrieval of user data during contacts searches.
Follow the official Nextcloud upgrade instructions for a smooth and secure update process.
