Nextcloud Desktop discloses information when attempting to lock a file...

2.4 / 10

LOW

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N

Description

Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.

Basic Information

ID CVE-2025-66549

Source GitHub_M

Published Dec 5, 2025 at 17:47

Affected Product

Vendor nextcloud

Product security-advisories

Version < 3.16.5

Affected Versions nextcloud security-advisories < 3.16.5

CWE Classification

CWE-209

References

{
    "lastseen": "",
    "description": "Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.",
    "published": "2025-12-05T17:47:00.748Z",
    "modified": "2025-12-05T17:47:00.748Z",
    "type": "cve",
    "title": "Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory",
    "source": "GitHub_M",
    "references": "https://github.com/nextcloud/security-advisories/security/advisories/GHSA-h9xj-qh76-q3hw\nhttps://github.com/nextcloud/desktop/pull/8330\nhttps://github.com/nextcloud/desktop/commit/36d6c234d42b06a6f2e9de3e413a5c3c625edad6\nhttps://hackerone.com/reports/3159877",
    "id": "CVE-2025-66549",
    "bulletinFamily": "",
    "cwe": [
        "CWE-209"
    ],
    "cvelist": null,
    "sourceData": "nextcloud security-advisories < 3.16.5",
    "sourceHref": "",
    "cvss": {
        "score": 2.4,
        "severity": "LOW",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "security-advisories",
    "version": "< 3.16.5",
    "vendor": "nextcloud",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Nextcloud Desktop discloses information when attempting to lock a file inside a end-to-end encrypted directory_CVE-2025-66549