5.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9q4r-x2hj-jmvr

EPSS Score

CWE

CWE-79

Published

7/28/2025

Updated

7/28/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9q4r-x2hj-jmvr

GHSA-9q4r-x2hj-jmvr: copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

Summary

An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files.

Details

Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways:

a user which has the necessary permission for uploading files can upload a song with an artist-name such as <img src=x onerror=alert(document.domain)>
an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file

The CVE score and PoC is based on the m3u approach, which results in a higher severity.

PoC

Create a file named song.m3u with the following content. Host this file on an attacker-controlled web server.

#EXTM3U
#EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)>
http://example.com/audio.mp3

Craft and share the malicious URL:

http://127.0.0.1:3923/#m3u=https://example.com/song.m3u

Impact

Any user that accesses this malicious URL is impacted.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9q4r-x2hj-jmvr

EPSS Score

CWE

CWE-79

Published

7/28/2025

Updated

7/28/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
copyparty	pip	<= 1.18.4	1.18.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a DOM-based Cross-Site Scripting (XSS) issue in copyparty caused by rendering unsanitized multimedia metadata. The analysis of the provided patch commit 895880aeb0be0813ddf732487596633f8f9fc3a6 was the key to identifying the vulnerable functions.

The commit modified a single file, copyparty/web/browser.js, in two distinct locations. Both changes involved adding an escaping function, esc(), to variables that held metadata tag values before they were added to arrays used for HTML generation.

By inspecting the source code of copyparty/web/browser.js around the patched lines, I identified the enclosing functions. The changes were located within two different functions, both named render, but residing in different JavaScript modules (search_ui and treectl) created using the IIFE pattern.

The first vulnerable function, which I've identified as search_ui.render, is responsible for rendering search results. The unescaped metadata was being added to the nodes array.
The second vulnerable function, treectl.render, is responsible for rendering the file browser tree. Here, the unescaped metadata was being added to the ln array.

These functions are the direct points of vulnerability because they process and prepare the malicious data for display without proper sanitization. An attacker can exploit this by crafting a malicious multimedia file (or an .m3u playlist) with specially crafted metadata tags containing JavaScript payloads. When a user views the directory containing this file or loads the malicious playlist, the vulnerable render functions execute, injecting the payload into the DOM and triggering the XSS. The provided function names include the module they belong to for clarity, as a runtime profiler would likely provide this contextual information.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Summ*ry *n un*ut**nti**t** *tt**k*r is **l* to *x**ut* *r*itr*ry J*v*S*ript *o** in * vi*tim's *rows*r *u* to improp*r s*nitiz*tion o* multim**i* t**s in musi* *il*s, in*lu*in* `m*u` *il*s. ### **t*ils Multim**i* m*t***t* is r*n**r** in t** w*

Reasoning

T** vuln*r**ility is * *OM-**s** *ross-Sit* S*riptin* (XSS) issu* in `*opyp*rty` **us** *y r*n**rin* uns*nitiz** multim**i* m*t***t*. T** *n*lysis o* t** provi*** p*t** *ommit `****************************************` w*s t** k*y to i**nti*yin* t**

5.4

Basic Information

Concerned about an active attack path?

GHSA-9q4r-x2hj-jmvr: copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

Summary

Details

PoC

Impact

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI