CVE-2025-66549 is a vulnerability identified in the Nextcloud Desktop sync client prior to version 3.16.5. The flaw arises when a user attempts to manually lock a file located within an end-to-end encrypted directory. During this operation, the client sends the file path to the Nextcloud server without encrypting it, despite the directory's encrypted status. This behavior results in the exposure of sensitive file path information to server administrators who can access server logs. The vulnerability is classified under CWE-209, which concerns the generation of error messages containing sensitive information. The CVSS 3.1 base score is 2.4, indicating low severity, with vector metrics showing network attack vector (AV:N), low attack complexity (AC:L), requiring high privileges (PR:H), user interaction (UI:R), unchanged scope (S:U), and only confidentiality impact (C:L) without affecting integrity or availability. The vulnerability does not allow unauthorized access to file contents or modification but leaks metadata that could reveal sensitive organizational or personal information. The issue is resolved in Nextcloud Desktop version 3.16.5, which ensures that file paths are not transmitted unencrypted during manual locking operations. No known exploits have been reported in the wild, and exploitation requires authenticated user interaction, limiting the attack surface. This vulnerability highlights the importance of securing metadata in encrypted environments, as leakage of file paths can undermine privacy guarantees even if file contents remain protected.

For European organizations, the primary impact of this vulnerability is the potential leakage of sensitive metadata through unencrypted file paths sent to the server and logged. This can expose information about file organization, project names, or user activities, which may be sensitive under European data protection regulations such as GDPR. Although the file contents remain encrypted and secure, metadata exposure can aid adversaries in reconnaissance or violate privacy policies. Organizations with strict compliance requirements or handling sensitive data may face reputational or regulatory risks if such metadata is exposed. The requirement for authenticated user interaction and high privileges reduces the likelihood of widespread exploitation, but insider threats or compromised accounts could leverage this vulnerability. The impact on availability and integrity is negligible, but confidentiality of metadata is compromised. Given the widespread use of Nextcloud in European enterprises, especially in privacy-conscious countries, this vulnerability warrants prompt remediation to maintain trust and compliance.

The primary mitigation is to upgrade all Nextcloud Desktop clients to version 3.16.5 or later, where the vulnerability is fixed. Organizations should enforce update policies to ensure timely patch deployment. Additionally, administrators should audit server logs for any exposure of sensitive file paths and implement log management practices that restrict access to logs containing sensitive metadata. Employing network encryption (e.g., TLS) for all client-server communications is essential, though this vulnerability specifically concerns unencrypted payload data within encrypted channels. User training to avoid manual file locking in end-to-end encrypted directories until patched can reduce risk. Monitoring for unusual administrative access or log access patterns can help detect potential exploitation attempts. Finally, organizations should review their data classification and handling policies to minimize sensitive information in file paths and names.