VYPR
Get started
← All advisories
High severityNVD Advisory· Published Jul 14, 2023· Updated Feb 13, 2025

Path traversal in copyparty

CVE-2023-37474

Description

Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the .cpr subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory. This issue has been addressed in commit 043e3c7d which has been included in release 1.8.2. Users are advised to upgrade. There are no known workarounds for this vulnerability.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
copypartyPyPI
< 1.8.21.8.2

Affected products

1

Patches

1
043e3c7dd683

fix traversal vulnerability GHSA-pxfv-7rr3-2qjg:

https://github.com/9001/copypartyedJul 14, 2023via ghsa
commit
1 file changed · +9 1
  • copyparty/httpcli.py+9 1 modified
    @@ -42,6 +42,7 @@
     Pebkac,
     UnrecvEOF,
     alltrace,
+    absreal,
     atomic_move,
     exclude_dotfiles,
     fsenc,
@@ -779,7 +780,14 @@ def handle_get(self) -> bool:
                 self.reply(b"", 301, headers=h)
                 return True
 
-            static_path = os.path.join(self.E.mod, "web/", self.vpath[5:])
+            path_base = os.path.join(self.E.mod, "web")
+            static_path = absreal(os.path.join(path_base, self.vpath[5:]))
+            if not static_path.startswith(path_base):
+                t = "attempted path traversal [{}] => [{}]"
+                self.log(t.format(self.vpath, static_path), 1)
+                self.tx_404()
+                return False
+
             return self.tx_file(static_path)
 
         if "cf_challenge" in self.uparam:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.