Cross-Site Scripting in Nextcloud: Development files shipped in files_pdfviewer app

Nextcloud’s PDF viewer uses an outdated version of PDF.js vulnerable to CVE-2024-4367.

Attackers with regular user access to a Nextcloud instance are able to prepare a special link. If this link is visited by other logged-in users a cross-site scripting is executed and attackers get access to that users’ files.

Details

• Product: Nextcloud
• Affected Versions: <22.2.10.33, <23.0.12.29, <24.0.12.28, <25.0.13.23, <26.0.13.20, <27.1.11.20, <28.0.14.11, <29.0.16.8, <30.0.17, <31.0.10, <32.0.1
• Fixed Versions: 22.2.10.33, 23.0.12.29, 24.0.12.28, 25.0.13.23, 26.0.13.20, 27.1.11.20, 28.0.14.11, 29.0.16.8, 30.0.17, 31.0.10, 32.0.1
• Vulnerability Type: Cross-Site Scripting
• Security Risk: medium
• Vendor URL: https://nextcloud.com
• Vendor Status: fixed version released
• Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2025-003
• Advisory URL: https://github.com/nextcloud/security-advisories/security/advisories/GHSA-24wp-p865-7j4r
• Advisory Status: published
• CVE: CVE-2025-59788
• CVE URL: https://www.cve.org/CVERecord?id=CVE-2025-59788

Introduction

Nextcloud is committed to provide self hosted open source cloud file storage technology that is a perfect fit for the privacy and security of your enterprise.

(from vendor’s homepage)

More Details

Inside Nextcloud’s dashboard, PDF files can be displayed using its files_pdfviewer application, which uses PDF.js.

In 2024, Codean identified a cross-site scripting vulnerability in PDF.js tracked as CVE-2024-4367.

files_pdfviewer has pinned an older vulnerable version of PDF.js for maintainability reasons. This was considered safe by the developers, as files_pdfviewer disables eval for PDF.js since 2020, which prevents the exploit from working in Nextcloud.

However, Nextcloud also ships with the PDF.js examples containing the viewer.html component accessible in /apps/files_pdfviewer/js/pdfjs/web/, which allows viewing PDF files from the same origin.

viewer.html is still vulnerable to CVE-2024-4367 and can be accessed unauthorized.

A vulnerable PDF.js version (v2.0.943) was introduced with 20.0.12rc1 (PDF.js v1.9.426 was unaffected according to Codean).

Proof of Concept

The following assumes an attacker who can upload files to the targeted Nextcloud instance, and create shareable links.

First, a PDF file exploiting CVE-2024-4367 (for example the proof of concept PDF file by Codean) is uploaded to the targeted Nextcloud instance. By using a public shareable link (<public-link>), a URL similar to the following can be created:

https://example.org/apps/files_pdfviewer/js/pdfjs/web/viewer.html?file=<public-link>

When this URL is opened in a browser, the cross-site scripting is triggered.

Workaround

Remove or denylist files_pdfviewer/js/pdfjs/web/viewer.html from the web server.

Fix

Install the corresponding maintenance updates containing the fix for files_pdfviewer (see Details section).

Security Risk

Attackers with the ability to host a malicious PDF file on the same origin as the targeted Nextcloud instance can prepare a URL which will run attacker-controlled JavaScript when visited in a browser, allowing the attackers to access Nextcloud with the victims’ identity if they are logged in. Nextcloud itself has multiple ways to create links for files, however the most likely way for attackers to create predictable links is to have control of a user account which can create public links for files.

Therefore, an attacker not only needs access to a regular user account on the Nextcloud instance to upload the malicious PDF file, but they also need to convince a logged-in victim from the same instance to visit the link. We consider this a medium risk.

Timeline

• 2025-09-03 Vulnerability identified
• 2025-09-04 CVE ID requested
• 2025-09-19 CVE-2025-59788 assigned
• 2025-09-22 Tried contacting security@nextcloud.com, but email is not used anymore
• 2025-09-22 Asked vendor for security contact
• 2025-09-23 Vendor notified
• 2025-09-23 Vendor acknowledged vulnerability and set dates for releasing fixes and advisory
• 2025-10-23 Vendor released maintenance releases containing the fix
• 2025-12-04 Advisory released

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/

Working at RedTeam Pentesting

RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/