EUVD-2025-201462
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:N/A:N
Lifecycle Timeline
4Description
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
Analysis
Nextcloud Desktop is the desktop sync client for Nextcloud. Prior to 3.16.5, when trying to manually lock a file inside an end-to-end encrypted directory, the path of the file was sent to the server unencrypted, making it possible for administrators to see it in log files. This vulnerability is fixed in 3.16.5.
Technical Context
Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Error Message Information Leak (CWE-209).
Affected Products
Affected products: Nextcloud Desktop
Remediation
A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| questing | not-affected | 3.16.6-3 |
| upstream | released | 3.16.6-3 |
| plucky | ignored | end of life, was needs-triage |
Debian
| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 3.1.1-2+deb11u1 | - |
| bullseye (security) | vulnerable | 3.1.1-2+deb11u2 | - |
| bookworm | vulnerable | 3.7.3-1+deb12u2 | - |
| trixie | fixed | 3.16.7-1~deb13u1 | - |
| forky, sid | fixed | 4.0.6-1 | - |
| (unstable) | fixed | 3.16.6-3 | - |
Share
External POC / Exploit Code
Leaving vuln.today