« See all

CKFinder for ASP.NET with a Security Patch Released

We would like to announce an immediate release of CKFinder for ASP.NET which contains a critical security fix. An upgrade is highly recommended!

We have been contacted yesterday (June, 8th) by Tornike Gelashvili, CTO of Helix Group regarding an issue discovered during penetration tests. After confirming the issue, a security fix has been developed in order to provide the fix to the general public as soon as possible. The application was also checked to confirm that it was the only place affected.

Issue Description

Due to insufficient checks in the ASP.NET connector, an authenticated user using the built-in DownloadFile command could download any file from the server (with an extension allowed in defined resource types, as well as without any extension), when providing an absolute path to the file.

  • Severity: Critical
  • Versions affected: CKFinder for ASP.NET <= 2.5.0

We would like to thank Tornike and his team for their submission and strongly recommend everyone to upgrade.


See the whatsnew page for a list of changes.


Download CKFinder now!


Visit the support page for an information about available support options.

Share this post

Linkedin Reddit
CKEditor Weekly for June 15, 2015
CKEditor Weekly for June 8, 2015
Twitter Facebook Facebook Instagram Medium Linkedin GitHub Arrow down Phone Menu Close icon Check