Miggo Logo

CVE-2025-54589: copyparty Reflected XSS via Filter Parameter

6.3

CVSS Score
3.1

Basic Information

EPSS Score
-
Published
7/31/2025
Updated
7/31/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
copypartypip<= 1.18.61.18.7

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'filter' parameter of the recent uploads page. The provided patch in commit a8705e611d05eeb22be5d3d7d9ab5c020fe54c62 clearly shows the fix. A new function, json_hesc, was added in copyparty/util.py to escape HTML-sensitive characters. This function is then used in the tx_rups method within the HttpSrv class in copyparty/httpcli.py. The change from html = self.j2s("rups", this=self, v=jtxt) to html = self.j2s("rups", this=self, v=json_hesc(jtxt)) demonstrates that the jtxt variable, containing user-controlled input from the 'filter' parameter, was previously being rendered without escaping. Therefore, the tx_rups function is the vulnerable function, as it was processing the malicious input and including it in the web page.

Vulnerable functions

HttpSrv.tx_rups
copyparty/httpcli.py
The `tx_rups` function in the `HttpSrv` class is responsible for handling the recent uploads page. The original code passed the `jtxt` variable, which contains the value of the `filter` parameter from the URL, directly to the template rendering function `self.j2s` without any escaping. This allows an attacker to inject malicious HTML and JavaScript code, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry Un*ut*oriz** r**l**t** *ross-Sit*-S*riptin* w**n ****ssin* t** URL *or r***nt uplo**s wit* t** `*ilt*r` p*r*m*t*r *ont*inin* J*v*S*ript *o**. ### **t*ils W**n ****ssin* t** r***nt uplo**s p*** *t `/?ru`, us*rs **n *ilt*r t** r*sults usin

Reasoning

T** vuln*r**ility is * r**l**t** *ross-Sit* S*riptin* (XSS) issu* in t** '*ilt*r' p*r*m*t*r o* t** r***nt uplo**s p***. T** provi*** p*t** in *ommit `****************************************` *l**rly s*ows t** *ix. * n*w *un*tion, `json_**s*`, w*s **