CVE-2025-47793

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-47793

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47793.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-47793

Aliases

GHSA-qqgg-hhfq-vhww

Published

2025-05-16T14:31:50.742Z

Modified

2026-04-10T05:27:30.693485Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Nextcloud Server and Groupfolders app vulnerable to bypass of group folder quota limit using attachment in text file

Details

Nextcloud Server is a self hosted personal cloud system, and the Nextcloud Groupfolders app provides admin-configured folders shared by everyone in a group or team. In Nextcloud Server prior to 30.0.2, 29.0.9, and 28.0.1, Nextcloud Enterprise Server prior to 30.0.2 and 29.0.9, and Nextcloud Groupfolders app prior to 18.0.3, 17.0.5, and 16.0.11, the absence of quota checking on attachments allowed logged-in users to upload files exceeding the group folder quota. Nextcloud Server versions 30.0.2 and 29.0.9, Nextcloud Enterprise Server versions 30.0.2, 29.0.9, or 28.0.12, and Nextcloud Groupfolders app 18.0.3, 17.0.5, and 16.0.11 fix the issue. No known workarounds are available.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/47xxx/CVE-2025-47793.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/nextcloud/groupfolders

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/groupfolders

Events

Introduced

9d0b381c73939a2220f252d6e6797a50c53b1268

Fixed

7903c300e1349ed1564dfd54110ecec1e131a29c

Database specific

{
    "versions": [
        {
            "introduced": "18.0.0"
        },
        {
            "fixed": "18.0.3"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/groupfolders

Events

Introduced

8f0d9cb8f8438e863af4d2cf58c99d3e1892f6b6

Fixed

f44c8acef7a57970336337229b9b3b38015c7d08

Database specific

{
    "versions": [
        {
            "introduced": "17.0.0"
        },
        {
            "fixed": "17.0.5"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/groupfolders

Events

Introduced

fe0278e4f44e4e75b49d6914aad759be81bf9f3e

Fixed

d3982141d6a5c15fa0c1ebde60904e0b3146e4ec

Database specific

{
    "versions": [
        {
            "introduced": "16.0.0"
        },
        {
            "fixed": "16.0.11"
        }
    ]
}

Affected versions

v16.*

v16.0.0

v16.0.1

v16.0.10

v16.0.2

v16.0.3

v16.0.4

v16.0.5

v16.0.6

v16.0.7

v16.0.8

v16.0.9

v17.*

v17.0.0

v17.0.1

v17.0.2

v17.0.3

v17.0.4

v18.*

v18.0.0

v18.0.1

v18.0.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47793.json"

Git / github.com/nextcloud/server

Affected ranges

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

656488893e2175e19fbe273d76a5e16a598000c7

Fixed

c23cdf609c38966f00fd44866086767eb7d5f1b2

Database specific

{
    "versions": [
        {
            "introduced": "30.0.0"
        },
        {
            "fixed": "30.0.2"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

36ae775aa7c9af22bf33645a2d8807206ec6c85f

Fixed

b35875a225e754cb4fc60e9b1d45d4178ac59d6d

Database specific

{
    "versions": [
        {
            "introduced": "29.0.0"
        },
        {
            "fixed": "29.0.9"
        }
    ]
}

Type

GIT

Repo

https://github.com/nextcloud/server

Events

Introduced

e15fcecaf0d382cebff924ec2b1f5319e130c0e8

Fixed

d52e850623bd7f9ea8d880a39e440d58e7145257

Database specific

{
    "versions": [
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.12"
        }
    ]
}

Affected versions

v28.*

v28.0.0

v28.0.1

v28.0.10

v28.0.10rc1

v28.0.11

v28.0.11rc1

v28.0.12rc1

v28.0.12rc2

v28.0.1rc1

v28.0.2

v28.0.2rc1

v28.0.2rc2

v28.0.2rc3

v28.0.2rc4

v28.0.2rc5

v28.0.3

v28.0.3rc1

v28.0.3rc2

v28.0.4

v28.0.4rc1

v28.0.5

v28.0.5rc1

v28.0.6

v28.0.6rc1

v28.0.7

v28.0.7rc1

v28.0.7rc2

v28.0.7rc3

v28.0.7rc4

v28.0.8

v28.0.8rc1

v28.0.9

v28.0.9rc1

v29.*

v29.0.0

v29.0.1

v29.0.1rc1

v29.0.2

v29.0.2rc1

v29.0.2rc2

v29.0.3

v29.0.3rc1

v29.0.3rc2

v29.0.3rc3

v29.0.3rc4

v29.0.4

v29.0.4rc1

v29.0.5

v29.0.5rc1

v29.0.6

v29.0.6rc1

v29.0.7

v29.0.7rc1

v29.0.8

v29.0.8rc1

v29.0.9rc1

v29.0.9rc2

v30.*

v30.0.0

v30.0.1

v30.0.1rc1

v30.0.1rc2

v30.0.2rc1

v30.0.2rc2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-47793.json"