CVE-2025-66549 is a vulnerability identified in Nextcloud Desktop, the desktop synchronization client for Nextcloud, affecting versions prior to 3.16.5. The flaw arises when a user attempts to manually lock a file within an end-to-end encrypted directory: the client sends the file path to the Nextcloud server without encryption. This behavior results in the exposure of sensitive file path information to server administrators, who can access these details through server log files. The vulnerability is classified under CWE-209, which concerns the generation of error messages containing sensitive information. Although the file contents remain encrypted and protected, the leakage of file paths can reveal confidential organizational structures, project names, or user data patterns. Exploitation requires user interaction (manual locking of files) and administrator privileges to access logs, limiting the attack vector. The CVSS 3.1 score is 2.4 (low severity), reflecting the limited confidentiality impact and no effect on integrity or availability. The vulnerability was publicly disclosed on December 5, 2025, and fixed in Nextcloud Desktop version 3.16.5. No known exploits are currently reported in the wild. The issue highlights the importance of securing metadata in encrypted environments, as metadata leakage can undermine privacy guarantees even when data contents are encrypted.

For European organizations, the primary impact of CVE-2025-66549 is the potential exposure of sensitive file path metadata to server administrators. This can lead to indirect confidentiality breaches by revealing organizational structures, project details, or user activities. Although the file contents remain protected by end-to-end encryption, metadata leakage can aid targeted attacks or insider threats. Organizations with strict data privacy requirements, such as those governed by GDPR, may face compliance risks if sensitive information is inadvertently exposed. The vulnerability does not affect data integrity or availability, and exploitation requires administrator access to logs and user interaction, limiting the attack surface. However, in environments where multiple administrators exist or where logs are widely accessible, the risk of unauthorized information disclosure increases. The impact is more significant for sectors handling sensitive or regulated data, such as finance, healthcare, and government agencies. Prompt patching mitigates these risks effectively.

1. Upgrade all Nextcloud Desktop clients to version 3.16.5 or later to ensure the vulnerability is patched. 2. Review and restrict access to server log files to minimize the number of administrators or personnel who can view sensitive metadata. 3. Implement log management policies that avoid logging sensitive file path information or sanitize logs to redact such data. 4. Educate users about the risks of manual file locking within encrypted directories and encourage minimizing this action unless necessary. 5. Monitor server logs for any unusual access patterns or attempts to extract sensitive metadata. 6. Consider deploying network-level encryption or VPNs to add an additional layer of protection for communications between clients and servers. 7. Conduct regular security audits focusing on metadata leakage risks in encrypted environments. 8. Coordinate with Nextcloud support or community for any additional security advisories or best practices related to metadata protection.