CVE-2025-54589: copyparty Reflected XSS via Filter Parameter
6.3
Basic Information
Technical Details
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
copyparty | pip | <= 1.18.6 | 1.18.7 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a reflected Cross-Site Scripting (XSS) issue in the 'filter' parameter of the recent uploads page. The provided patch in commit a8705e611d05eeb22be5d3d7d9ab5c020fe54c62
clearly shows the fix. A new function, json_hesc
, was added in copyparty/util.py
to escape HTML-sensitive characters. This function is then used in the tx_rups
method within the HttpSrv
class in copyparty/httpcli.py
. The change from html = self.j2s("rups", this=self, v=jtxt)
to html = self.j2s("rups", this=self, v=json_hesc(jtxt))
demonstrates that the jtxt
variable, containing user-controlled input from the 'filter' parameter, was previously being rendered without escaping. Therefore, the tx_rups
function is the vulnerable function, as it was processing the malicious input and including it in the web page.
Vulnerable functions
HttpSrv.tx_rups
copyparty/httpcli.py