Moderate severityNVD Advisory· Published Jul 28, 2025· Updated Jul 28, 2025
copyparty has a DOM-Based XSS vulnerability when displaying multimedia metadata
CVE-2025-54423
Description
copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
copypartyPyPI | < 1.18.5 | 1.18.5 |
Affected products
1Patches
11 file changed · +4 −4
copyparty/web/browser.js+4 −4 modified@@ -7464,7 +7464,7 @@ var search_ui = (function () { nodes = ['<tr><td>-</td><td><div>' + links + '</div>', sz]; for (var b = 0; b < tagord.length; b++) { - var k = tagord[b], + var k = esc(tagord[b]), v = r.tags[k] || ""; if (k == ".dur") { @@ -7473,7 +7473,7 @@ var search_ui = (function () { continue; } - nodes.push(v); + nodes.push(esc('' + v)); } nodes = nodes.concat([ext, unix2iso(ts)]); @@ -8362,7 +8362,7 @@ var treectl = (function () { top + tn.href + '" id="' + id + '">' + hname + '</a>', tn.sz]; for (var b = 0; b < res.taglist.length; b++) { - var k = res.taglist[b], + var k = esc(res.taglist[b]), v = (tn.tags || {})[k] || "", sv = null; @@ -8371,7 +8371,7 @@ var treectl = (function () { else if (k == ".up_at") sv = v ? unix2iso(v) : ""; else { - ln.push(v); + ln.push(esc('' + v)); continue; } ln[ln.length - 1] += '</td><td sortv="' + v + '">' + sv;
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-9q4r-x2hj-jmvrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54423ghsaADVISORY
- github.com/9001/copyparty/commit/895880aeb0be0813ddf732487596633f8f9fc3a6ghsax_refsource_MISCWEB
- github.com/9001/copyparty/releases/tag/v1.18.5ghsax_refsource_MISCWEB
- github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvrghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.