6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54589

GHSA ID

GHSA-8mx2-rjh8-q3jq

EPSS Score

CWE

CWE-79

Published

7/31/2025

Updated

7/31/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-54589

CVE-2025-54589: copyparty Reflected XSS via Filter Parameter

Summary

Unauthorized reflected Cross-Site-Scripting when accessing the URL for recent uploads with the filter parameter containing JavaScript code.

Details

When accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a <script> block without proper escaping. This vulnerability allows for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users, enabling unwanted actions in the victims browser.

PoC

A URL like this will execute alert(1):

https://127.0.0.1:3923/?ru&filter=</script><script>alert(1)</script>

(GitHub Advisory)

6.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-54589

GHSA ID

GHSA-8mx2-rjh8-q3jq

EPSS Score

CWE

CWE-79

Published

7/31/2025

Updated

7/31/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	<= 1.18.6	1.18.7

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'filter' parameter of the recent uploads page. The provided patch in commit a8705e611d05eeb22be5d3d7d9ab5c020fe54c62 clearly shows the fix. A new function, json_hesc, was added in copyparty/util.py to escape HTML-sensitive characters. This function is then used in the tx_rups method within the HttpSrv class in copyparty/httpcli.py. The change from html = self.j2s("rups", this=self, v=jtxt) to html = self.j2s("rups", this=self, v=json_hesc(jtxt)) demonstrates that the jtxt variable, containing user-controlled input from the 'filter' parameter, was previously being rendered without escaping. Therefore, the tx_rups function is the vulnerable function, as it was processing the malicious input and including it in the web page.

Vulnerable functions

HttpSrv.tx_rups

copyparty/httpcli.py

The `tx_rups` function in the `HttpSrv` class is responsible for handling the recent uploads page. The original code passed the `jtxt` variable, which contains the value of the `filter` parameter from the URL, directly to the template rendering function `self.j2s` without any escaping. This allows an attacker to inject malicious HTML and JavaScript code, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry Un*ut*oriz** r**l**t** *ross-Sit*-S*riptin* w**n ****ssin* t** URL *or r***nt uplo**s wit* t** `*ilt*r` p*r*m*t*r *ont*inin* J*v*S*ript *o**. ### **t*ils W**n ****ssin* t** r***nt uplo**s p*** *t `/?ru`, us*rs **n *ilt*r t** r*sults usin

Reasoning

T** vuln*r**ility is * r**l**t** *ross-Sit* S*riptin* (XSS) issu* in t** '*ilt*r' p*r*m*t*r o* t** r***nt uplo**s p***. T** provi*** p*t** in *ommit `****************************************` *l**rly s*ows t** *ix. * n*w *un*tion, `json_**s*`, w*s **

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-54589: copyparty Reflected XSS via Filter Parameter

Summary

Details

PoC

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI