filebrowser

v2.63.9 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 13h File Storage & Sync

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

file-browser file-manager file-sharing go material-design self-hosted

+1 more

vue

Affected surfaces

auth rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 10h

The release adds a security header to raw file responses and implements constant‑time comparison for share access token validation while preventing symlink scope escape during file operations.

Why it matters: Constant‑time token checks (severity 90) mitigate timing attacks; symlink escape prevention (severity 85) blocks privilege‑escalation paths in copy/move/rename APIs. Address these changes before deploying the v2.63.9 update.

Summary

AI summary

Fixed constant‑time comparison for share access tokens and prevented symlink scope escape in copy/move/rename.

Changes in this release

Type	Severity	Summary	CVE
Security
Security	Critical	Uses constant-time comparison for share access token checks Uses constant-time comparison for share access token checks Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	Adds X-Content-Type-Options: nosniff header to raw file responses Adds X-Content-Type-Options: nosniff header to raw file responses Source: llm_adapter@2026-06-03 Confidence: high	—
Security	High	Prevents symlink scope escape during copy/move/rename operations Prevents symlink scope escape during copy/move/rename operations Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Forces Content-Type: octet-stream for attachment downloads Forces Content-Type: octet-stream for attachment downloads Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

Changelog

503fd6b01f311bf432b3fcf840acc5c79f23148f chore(release): 2.63.9
35db07d0159c520a6b3c969ac52033593914fadd fix: set X-Content-Type-Options: nosniff on raw file responses
19514367adf2d9fe5be2b7666e397979ea679b94 fix: use constant-time comparison for share access token
cdd666fc95f569ad583c32391e45646fed676dfd fix: prevent symlink scope escape in copy/move/rename
103acd15fe57554fe0246bfe70a49b6cb4ae0c51 fix: force octet-stream for attachment downloads (#5942)

Security Fixes

Use constant‑time comparison for share access tokens to mitigate timing attacks.
Prevent symlink scope escape in copy, move, and rename operations.

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track filebrowser

Get notified when new releases ship.

About filebrowser

Web File Browser

All releases →