3.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27145

GHSA ID

GHSA-m2jw-cj8v-937r

EPSS Score

0.04663%

CWE

CWE-79

Published

2/26/2025

Updated

2/26/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27145

CVE-2025-27145: copyparty renders unsanitized filenames as HTML when user uploads empty files

Summary

A DOM-Based XSS was discovered in copyparty, a portable fileserver. The vulnerability is considered low-risk.

Details

By handing someone a maliciously-named file, and then tricking them into dragging the file into copyparty's Web-UI, an attacker could execute arbitrary javascript with the same privileges as that user. For example, this could give unintended read-access to files owned by that user. The bug is triggered by the drag-drop action itself; it is not necessary to actually initiate the upload. The file must be empty (zero bytes).

Note: As a general-purpose webserver, it is intentionally possible to upload HTML-files with arbitrary javascript in <script> tags, which will execute when the file is opened. The difference is that this vulnerability would trigger execution of javascript during the act of uploading, and not when the uploaded file was opened.

Proof of Concept (POC)

Create an empty file named <img src=x onerror="alert(1)">
Drag-and-drop the file into the browser to initiate an upload
The alert(1) is executed

(GitHub Advisory)

3.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-27145

GHSA ID

GHSA-m2jw-cj8v-937r

EPSS Score

0.04663%

CWE

CWE-79

Published

2/26/2025

Updated

2/26/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	< 1.16.15	1.16.15

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from unescaped filename insertion in up2k.js's message construction logic. The GitHub patch shows the addition of esc() calls around bad_files[a][1] and nil_files[a][1] in up2k_init, proving these were the vulnerable points. These locations directly used user-controlled filenames in HTML context without sanitization, enabling DOM XSS when empty files with malicious names were dragged into the UI.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry * [*OM-**s** XSS](*ttps://**p**.mitr*.or*/**t*/***initions/***.*tml) w*s *is*ov*r** in [*opyp*rty](*ttps://*it*u*.*om/****/*opyp*rty), * port**l* *il*s*rv*r. T** vuln*r**ility is *onsi**r** low-risk. ## **t*ils *y **n*in* som*on* * m*li

Reasoning

T** vuln*r**ility st*ms *rom un*s**p** *il*n*m* ins*rtion in up*k.js's m*ss*** *onstru*tion lo*i*. T** *it*u* p*t** s*ows t** ***ition o* *s*() **lls *roun* ***_*il*s[*][*] *n* nil_*il*s[*][*] in up*k_init, provin* t**s* w*r* t** vuln*r**l* points. T

3.6

Basic Information

Concerned about an active attack path?

CVE-2025-27145: copyparty renders unsanitized filenames as HTML when user uploads empty files

Summary

Details

Proof of Concept (POC)

3.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI