CVE-2025-14267: Improper temporary cached data included in a structure only copy

DESCRIPTION

Incomplete removal of sensitive information before transfer vulnerability in M-Files Corporation M-Files Server allows data leak exposure affecting versions before 25.12.15491.7

AFFECTED PRODUCTS

M-Files Server before 25.12.15491.7

MORE INFORMATION

M-Files Server has a functionality for an administrator level user to copy a vault with “metadata structure only” without any actual data.
Due to a failure to remove some activity data meant to be used as temporary caching only data, the copy could have included data from the source vault.
The data could have included possibly sensitive data or data categorized as PII, such as file names, user names and comments. The exact data contained depends on the source vault content.

When the vault is replicated with metadata structure only, activity data was not removed properly, which causes data leaking from source vault to target copy vault. In some situation, if the new vault’s object version count and object internal ID are the same as the record in the database, the activity data from the original vault may be shown erroneously.

The issue manifests as random activity feed data from another vault would appear on random objects in the vault.

We are providing this security advisory to inform you that no actions in addition to upgrading to 25.12.15491.7 (or newer) is required. Updating will remove the cached data during the upgrade.
 

To summarize:

1. Issue exists only, if the vault has been created as a “metadata structure only” copy.

2. The source vault has been in use AND activity feed data was created for an object before creating the copy so that it contains activity data.

3. The activity data is a caching data only, and it is removed from the vault during the database update to 25.12.

CVSS 4.0 CVSS Score: 5.6

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

CWE: CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer

CAPEC: CAPEC-410 Information Elicitation

Internal ID: CE-2204

Date issued: 2025-12-18

Alternate IDs: EUVD-2025-204453

EXPLOITABILITY

Publicly disclosed: No
Exploited: Unknown
Probability of exploitation: low – internally found

LINKS

https://www.cve.org/CVERecord?id=CVE-2025-14267

https://euvd.enisa.europa.eu/vulnerability/EUVD-2025-204453

HISTORY

2025-12-18 Published
2025-12-19 EUVD ID added

Review M-Files on Gartner® Peer Insights™ & get a $25 gift card!

Review now
X