CVE-2025-54423

copyparty is a portable file server. In versions up to and including versions 1.18.4, an unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files. This is fixed in version 1.18.5.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/9001/copyparty/commit/895880aeb0be0813ddf732487596633f8f9fc3a6
https://github.com/9001/copyparty/releases/tag/v1.18.5
https://github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr

Configurations

No configuration.

History

29 Jul 2025, 14:14

Type	Values Removed	Values Added
Summary		(es) Copyparty es un servidor de archivos portátil. En versiones hasta la 1.18.4 incluida, un atacante no autenticado puede ejecutar código JavaScript arbitrario en el navegador de la víctima debido a una depuración incorrecta de las etiquetas multimedia en archivos de música, incluyendo archivos m3u. Esto se solucionó en la versión 1.18.5.

28 Jul 2025, 20:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-28 20:17

Updated : 2025-07-29 14:14

NVD link : CVE-2025-54423

Mitre link : CVE-2025-54423

CVE.ORG link : CVE-2025-54423

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10