About
Search
Welcome to M-Files Empower – our new support experience. We'd love to hear what you think!Give feedback
Home/Product information and downloads/Security advisories

CVE-2025-14267 Unintended temporary cached data included in a structure only copy intended to be empty of data

2025-12-18

Description

Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7

Affected products

M-Files Server before 25.12.15491.7

More information

M-Files Server has a functionality for an administrator level user to copy a vault with "metadata structure only" without any actual data. Due to a failure to remove some activity data meant to be used as temporary caching only data, the copy could have included data from the source vault. The data could have included possibly sensitive data or data categorized as PII, such as file names, user names and comments. The exact data contained depends on the source vault content. When the vault is replicated with metadata structure only, activity data was not removed properly, which causes data leaking from source vault to target copy vault. In some situation, if the new vault's object version count and object internal ID are the same as the record in the database, the activity data from the original vault may be shown erroneously. The issue manifests as random activity feed data from another vault would appear on random objects in the vault. We are providing this security advisory to inform you that no actions in addition to upgrading to 25.12 (or newer) is required. Updating will remove the cached data during the upgrade.   To summarize: 1. Issue exists only, if the vault has been created as a "metadata structure only" copy. 2. The source vault has been in use AND activity feed data was created for an object before creating the copy so that it contains activity data. 3. The activity data is a caching data only, and it is removed from the vault during the database update to 25.12. CVSS 4.0 CVSS Score: 5.6 CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CWE: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer CAPEC: CAPEC-410 Information Elicitation Internal ID: CE-2204 Date issued: 2025-12-18 Alternate IDs: EUVD-2025-204453

Exploitability

Publicly disclosed: No Exploited: Unknown Probability of exploitation: low - internally found

Links

History

2025-12-18 Published

On this page
Description
Affected products
More information
Exploitability
Links
History
Popular links
What is enterprise content management?Business process managementCollaboration solutionsSolutions by industryKey capabilities
About M-Files
Contact usSchedule a demoCareersTrust CenterPrivacy policySecurity Hall of Fame
Resources
Customer Support PortalPartner HubDeveloper PortalUser guideM-Files CommunityTerms and conditions