Nextcloud Groupfolders up to 20.1.1 neutralization

Summaryinfo

A vulnerability has been found in Nextcloud Groupfolders up to 20.1.1 and classified as problematic. This issue affects some unknown processing. The manipulation leads to neutralization. This vulnerability is uniquely identified as CVE-2025-66545. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded.

Detailsinfo

A vulnerability was found in Nextcloud Groupfolders up to 20.1.1. It has been rated as problematic. This issue affects an unknown part. The manipulation with an unknown input leads to a neutralization vulnerability. Using CWE to declare the problem leads to CWE-707. The product does not ensure or incorrectly ensures that structured messages or data are well-formed and that certain security properties are met before being read from an upstream component or sent to a downstream component. Impacted is integrity. The summary by CVE is:

Nextcloud Groupfolders provides admin-configured folders shared by everyone in a group or team. Prior to 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2, a user with read-only permission can restore a file from the trash bin. This vulnerability is fixed in 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8, and 20.1.2.

It is possible to read the advisory at github.com. The identification of this vulnerability is CVE-2025-66545 since 12/04/2025. The exploitation is known to be easy. The attack may be initiated remotely. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available.

Upgrading to version 14.0.11, 15.3.12, 16.0.15, 17.0.14, 18.1.8, 19.1.8 or 20.1.2 eliminates this vulnerability. Applying the patch bbe87ebed8da23e9df4db637a76fbc8d36439d58 is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Cloud Software

Vendor

• Nextcloud

Name

• Groupfolders

Version

• 14.0.0
• 14.0.1
• 14.0.2
• 14.0.3
• 14.0.4
• 14.0.5
• 14.0.6
• 14.0.7
• 14.0.8
• 14.0.9
• 14.0.10
• 15.3.0
• 15.3.1
• 15.3.2
• 15.3.3
• 15.3.4
• 15.3.5
• 15.3.6
• 15.3.7
• 15.3.8
• 15.3.9
• 15.3.10
• 15.3.11
• 16.0.0
• 16.0.1
• 16.0.2
• 16.0.3
• 16.0.4
• 16.0.5
• 16.0.6
• 16.0.7
• 16.0.8
• 16.0.9
• 16.0.10
• 16.0.11
• 16.0.12
• 16.0.13
• 16.0.14
• 17.0.0
• 17.0.1
• 17.0.2
• 17.0.3
• 17.0.4
• 17.0.5
• 17.0.6
• 17.0.7
• 17.0.8
• 17.0.9
• 17.0.10
• 17.0.11
• 17.0.12
• 17.0.13
• 18.1.0
• 18.1.1
• 18.1.2
• 18.1.3
• 18.1.4
• 18.1.5
• 18.1.6
• 18.1.7
• 19.1.0
• 19.1.1
• 19.1.2
• 19.1.3
• 19.1.4
• 19.1.5
• 19.1.6
• 19.1.7
• 20.1.0
• 20.1.1

License

• open-source

Website

• Product: https://github.com/nextcloud/groupfolders/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion