LocalSend File Transfer Vulnerability in Open-Source Application
CVE-2025-27142

6.3MEDIUM

Key Information:

Vendor: Localsend
Status: Localsend
Vendor: CVE Published:; 25 February 2025

Summary

LocalSend is a free, open-source application designed for secure file sharing over local networks without the need for an internet connection. However, prior to version 1.17.0, it exhibited a critical flaw in its handling of file transfer requests. Specifically, the application failed to properly sanitize file paths in its POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload endpoints. This oversight allowed attackers to send crafted file transfer requests that could manipulate file locations on the user’s system, resulting in arbitrary file writes and potential remote command execution. Particularly concerning is the use of the 'Quick Save' feature, which could execute these malicious actions without user consent or intervention. This vulnerability has been addressed in version 1.17.0, making immediate updates essential for users.

Affected Version(s)

localsend < 1.17.0

References

https://github.com/localsend/localsend/security/advisorie...

x_refsource_CONFIRM

https://github.com/localsend/localsend/commit/e8635204ec7...

x_refsource_MISC

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Feb 25, 2025
Vulnerability Reserved
Feb 19, 2025