DOM-Based Cross-Site Scripting Vulnerability in Copyparty File Server
CVE-2025-27145

3.6LOW

Key Information:

Vendor
9001
Status
Copyparty
Vendor
CVE Published:
25 February 2025

Summary

Copyparty, a portable file server, contains a DOM-based cross-site scripting vulnerability that can be exploited by a malicious user through the drag-and-drop feature of its Web-UI. When an attacker tricks a user into dragging a specially named empty file into the interface, they can execute arbitrary JavaScript code with the same privileges as the targeted user. This behavior can potentially lead to unintended access to sensitive files owned by the user. The vulnerability is present in all versions prior to 1.16.15, which includes the necessary fix.

Affected Version(s)

copyparty < 1.16.15

References

https://github.com/9001/copyparty/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/9001/copyparty/commit/438ea6ccb06f39d7...
x_refsource_MISC
https://github.com/9001/copyparty/releases/tag/v1.16.15
x_refsource_MISC

CVSS V3.1

Score:
3.6
Severity:
LOW
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.