CVE-2025-47792: Nextcloud Desktop 3rdparty applications can create share links via socket API
Description
Nextcloud Desktop is the desktop sync client for Nextcloud. In versions of Nextcloud Desktop prior to 3.15, 3rdparty applications already installed on a user machine can create link shares for almost all data via the socket API. These shares can then be easily sent off to an external service. Nextcloud Desktop fixes the issue in version 3.15. No known workarounds are available.
Classification
CVE ID: CVE-2025-47792
CVSS Base Severity: MEDIUM
CVSS Base Score: 5.0
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Problem Types
CWE-284: Improper Access ControlAffected Products
Vendor: nextcloud
Product: security-advisories
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.44% (scored less or equal to compared to others)
EPSS Date: 2025-06-14 (when was this score calculated)
Stakeholder-Specific Vulnerability Categorization (SSVC)
SSVC Exploitation: none
SSVC Technical Impact: partial
SSVC Automatable: false
References
https://nvd.nist.gov/vuln/detail/CVE-2025-47792https://github.com/nextcloud/security-advisories/security/advisories/GHSA-qm2f-959g-7p65
https://github.com/nextcloud/desktop/pull/7517
https://hackerone.com/reports/1995856