Plateforme
nextcloud
Composant
approval
Corrigé dans
2.0.1
1.3.2
CVE-2025-66515 affects the Nextcloud Approval app, a component used to manage file approval workflows within Nextcloud. This vulnerability allows an authenticated user designated as a 'requester' in a workflow to place another user's file into a 'pending approval' state without needing direct access to that file. The issue impacts versions 2.0.0 through 2.4.9 and is resolved in version 2.5.0.
The primary impact of CVE-2025-66515 is the potential for unauthorized access and manipulation of file approval workflows. An attacker, acting as a requester, could leverage this vulnerability to force files belonging to other users into a pending approval state, effectively bypassing standard access controls. While the vulnerability is rated as LOW severity, it could be exploited to disrupt workflows, potentially expose sensitive data if approval processes are critical for data security, or be chained with other vulnerabilities to escalate privileges. This bypass could be particularly concerning in environments where file approval is a key security control.
CVE-2025-66515 has a LOW CVSS score and, as of the publication date (2025-12-05), there are no publicly known exploits or active campaigns targeting this vulnerability. It is not currently listed on KEV or EPSS. The vulnerability's impact is limited by the requirement for an authenticated user with 'requester' privileges, which reduces the overall attack surface. However, organizations should prioritize patching to prevent potential exploitation.
Statut de l'Exploit
EPSS
0.02% (percentile 5%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2025-66515 is to upgrade the Nextcloud Approval app to version 2.5.0 or later. If immediate upgrading is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter access controls within Nextcloud to limit the number of users with 'requester' roles in approval workflows. Review existing approval workflows and identify any potential points of abuse. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for unusual approval activity and flag suspicious requests. After upgrading, confirm the fix by attempting to trigger the approval bypass scenario with a user account designated as a requester and verifying that the file access control remains enforced.
Actualice la aplicación Approval de Nextcloud a la versión 1.3.1 o superior, o a la versión 2.5.0 o superior. Esto corregirá la vulnerabilidad que permite a usuarios no autorizados cambiar el estado de aprobación de archivos. La actualización se puede realizar a través de la interfaz de administración de Nextcloud.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-66515 is a LOW severity vulnerability in the Nextcloud Approval app that allows authenticated requesters to bypass file access controls and place files into a pending approval state without direct access.
You are affected if you are using the Nextcloud Approval app versions 2.0.0 through 2.4.9. Upgrade to version 2.5.0 or later to mitigate the vulnerability.
The recommended fix is to upgrade the Nextcloud Approval app to version 2.5.0 or later. Consider stricter access controls if immediate upgrading is not possible.
As of December 5, 2025, there are no publicly known exploits or active campaigns targeting CVE-2025-66515.
Refer to the official Nextcloud security advisory for CVE-2025-66515 on the Nextcloud website: [https://nextcloud.com/security/advisories](https://nextcloud.com/security/advisories)
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.