Moderate severityNVD Advisory· Published Jul 31, 2025· Updated Jul 31, 2025
copyparty Reflected XSS via Filter Parameter
CVE-2025-54589
Description
Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a <script> block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
copypartyPyPI | < 1.18.7 | 1.18.7 |
Affected products
1Patches
12 files changed · +6 −1
copyparty/httpcli.py+2 −1 modified@@ -81,6 +81,7 @@ html_escape, humansize, ipnorm, + json_hesc, justcopy, load_resource, loadpy, @@ -5595,7 +5596,7 @@ def tx_rups(self) -> bool: self.reply(jtxt.encode("utf-8", "replace"), mime="application/json") return True - html = self.j2s("rups", this=self, v=jtxt) + html = self.j2s("rups", this=self, v=json_hesc(jtxt)) self.reply(html.encode("utf-8"), status=200) return True
copyparty/util.py+4 −0 modified@@ -2253,6 +2253,10 @@ def find_prefix(ips: list[str], cidrs: list[str]) -> list[str]: return ret +def json_hesc(s: str) -> str: + return s.replace("<", "\\u003c").replace(">", "\\u003e").replace("&", "\\u0026") + + def html_escape(s: str, quot: bool = False, crlf: bool = False) -> str: """html.escape but also newlines""" s = s.replace("&", "&").replace("<", "<").replace(">", ">")
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-8mx2-rjh8-q3jqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-54589ghsaADVISORY
- github.com/9001/copyparty/commit/a8705e611d05eeb22be5d3d7d9ab5c020fe54c62ghsax_refsource_MISCWEB
- github.com/9001/copyparty/releases/tag/v1.18.7ghsax_refsource_MISCWEB
- github.com/9001/copyparty/security/advisories/GHSA-8mx2-rjh8-q3jqghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.