6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54589

GHSA ID

GHSA-8mx2-rjh8-q3jq

EPSS Score

CWE

CWE-79

Published

7/31/2025

Updated

7/31/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54589

CVE-2025-54589:
copyparty Reflected XSS via Filter Parameter

Summary

Unauthorized reflected Cross-Site-Scripting when accessing the URL for recent uploads with the filter parameter containing JavaScript code.

Details

When accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a <script> block without proper escaping. This vulnerability allows for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users, enabling unwanted actions in the victims browser.

PoC

A URL like this will execute alert(1):

https://127.0.0.1:3923/?ru&filter=</script><script>alert(1)</script>

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54589

GHSA ID

GHSA-8mx2-rjh8-q3jq

EPSS Score

CWE

CWE-79

Published

7/31/2025

Updated

7/31/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	<= 1.18.6	1.18.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'filter' parameter of the recent uploads page. The provided patch in commit a8705e611d05eeb22be5d3d7d9ab5c020fe54c62 clearly shows the fix. A new function, json_hesc, was added in copyparty/util.py to escape HTML-sensitive characters. This function is then used in the tx_rups method within the HttpSrv class in copyparty/httpcli.py. The change from html = self.j2s("rups", this=self, v=jtxt) to html = self.j2s("rups", this=self, v=json_hesc(jtxt)) demonstrates that the jtxt variable, containing user-controlled input from the 'filter' parameter, was previously being rendered without escaping. Therefore, the tx_rups function is the vulnerable function, as it was processing the malicious input and including it in the web page.

Vulnerable functions

HttpSrv.tx_rups

copyparty/httpcli.py

The `tx_rups` function in the `HttpSrv` class is responsible for handling the recent uploads page. The original code passed the `jtxt` variable, which contains the value of the `filter` parameter from the URL, directly to the template rendering function `self.j2s` without any escaping. This allows an attacker to inject malicious HTML and JavaScript code, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry Un*ut*oriz** r**l**t** *ross-Sit*-S*riptin* w**n ****ssin* t** URL *or r***nt uplo**s wit* t** `*ilt*r` p*r*m*t*r *ont*inin* J*v*S*ript *o**. ### **t*ils W**n ****ssin* t** r***nt uplo**s p*** *t `/?ru`, us*rs **n *ilt*r t** r*sults usin

Reasoning

T** vuln*r**ility is * r**l**t** *ross-Sit* S*riptin* (XSS) issu* in t** '*ilt*r' p*r*m*t*r o* t** r***nt uplo**s p***. T** provi*** p*t** in *ommit `****************************************` *l**rly s*ows t** *ix. * n*w *un*tion, `json_**s*`, w*s **

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-54589: copyparty Reflected XSS via Filter Parameter

Summary

Details

PoC

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-54589:
copyparty Reflected XSS via Filter Parameter

Vulnerability Intelligence
Miggo AI