CVE-2025-54796

Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the "Recent Uploads" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83	Patch
https://github.com/9001/copyparty/releases/tag/v1.18.9	Release Notes
https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6	Exploit Vendor Advisory
https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-02 00:15

Updated : 2025-09-12 16:13

NVD link : CVE-2025-54796

Mitre link : CVE-2025-54796

CVE.ORG link : CVE-2025-54796

JSON object : View

Products Affected

9001

copyparty

CWE

CWE-400

Uncontrolled Resource Consumption

CWE-833

Deadlock

CWE-1333

Inefficient Regular Expression Complexity

{"id": "CVE-2025-54796", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-08-02T00:15:26.550", "references": [{"url": "https://github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/9001/copyparty/releases/tag/v1.18.9", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-833"}, {"lang": "en", "value": "CWE-1333"}]}], "descriptions": [{"lang": "en", "value": "Copyparty is a portable file server. Versions prior to 1.18.9, the filter parameter for the \"Recent Uploads\" page allows arbitrary RegExes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server. This is fixed in version 1.18.9."}, {"lang": "es", "value": "Copyparty es un servidor de archivos port\u00e1til. En versiones anteriores a la 1.18.9, el par\u00e1metro de filtro de la p\u00e1gina \"Subidas recientes\" permite expresiones regulares arbitrarias. Si esta funci\u00f3n est\u00e1 habilitada (por defecto), un atacante puede manipular un filtro que bloquee el servidor. Esto se solucion\u00f3 en la versi\u00f3n 1.18.9."}], "lastModified": "2025-09-12T16:13:54.597", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:9001:copyparty:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BCFBCFBD-9305-4DBD-92B6-29B6F8FDF5B2", "versionEndExcluding": "1.18.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}