CVE-2025-47791
- Source
- https://cve.org/CVERecord?id=CVE-2025-47791
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47791.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-47791
- Aliases
-
- GHSA-c7vq-m7f8-rx37
- Published
- 2025-05-16T14:09:27.322Z
- Modified
- 2026-04-02T12:50:19.322042Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Nextcloud Server's test remote endpoint is not rate limited
- Details
-
Nextcloud Server is a self hosted personal cloud system. In Nextcloud Server prior to 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server prior to 28.0.13, 29.0.10, and 30.0.3, a currently unused endpoint to verify a share recipient was not protected correctly, allowing to proxy requests to another server. The endpoint was removed in Nextcloud Server 28.0.13, 29.0.10, and 30.0.3 and Nextcloud Enterprise Server 28.0.13, 29.0.10, and 30.0.3. No known workarounds are available.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47791.json", "cwe_ids": [ "CWE-918" ], "cna_assigner": "GitHub_M" }- References
Affected packages
Git / github.com/nextcloud/server
Affected ranges
Affected versions
v28.*
v28.0.0
v28.0.1
v28.0.10
v28.0.10rc1
v28.0.11
v28.0.11rc1
v28.0.12
v28.0.12rc1
v28.0.12rc2
v28.0.13rc1
v28.0.1rc1
v28.0.2
v28.0.2rc1
v28.0.2rc2
v28.0.2rc3
v28.0.2rc4
v28.0.2rc5
v28.0.3
v28.0.3rc1
v28.0.3rc2
v28.0.4
v28.0.4rc1
v28.0.5
v28.0.5rc1
v28.0.6
v28.0.6rc1
v28.0.7
v28.0.7rc1
v28.0.7rc2
v28.0.7rc3
v28.0.7rc4
v28.0.8
v28.0.8rc1
v28.0.9
v28.0.9rc1
v29.*
v29.0.0
v29.0.1
v29.0.10rc1
v29.0.1rc1
v29.0.2
v29.0.2rc1
v29.0.2rc2
v29.0.3
v29.0.3rc1
v29.0.3rc2
v29.0.3rc3
v29.0.3rc4
v29.0.4
v29.0.4rc1
v29.0.5
v29.0.5rc1
v29.0.6
v29.0.6rc1
v29.0.7
v29.0.7rc1
v29.0.8
v29.0.8rc1
v29.0.9
v29.0.9rc1
v29.0.9rc2
v30.*
v30.0.0
v30.0.1
v30.0.1rc1
v30.0.1rc2
v30.0.2
v30.0.2rc1
v30.0.2rc2
v30.0.3rc1
v30.0.3rc2