OT: copyparty

copyparty

issues

N.B. Copyparty has had a couple of known security vulnerabilities, though they’ve been addressed in recent updates. Here’s a quick rundown:

:shield: Known Security Issues

  1. DOM-Based Cross-Site Scripting (XSS) – CVE-2025-27145
    Affected versions: Prior to 1.16.15

Risk level: Low

Details:

Triggered when a user drags a maliciously named, empty file into the Web UI.

Could allow arbitrary JavaScript execution with the user’s privileges.

Notably, this happens during the upload action—not when the file is opened.

Fix: Patched in version 1.16.15

  1. Multimedia Metadata XSS – CVE-2025-54423
    Affected versions: Prior to 1.18.5

Risk level: Moderate (CVSS score 5.4)

Details:

Improper sanitization of metadata in multimedia files (e.g., .m3u playlists).

Could allow unauthenticated attackers to execute JavaScript via malicious metadata or URLs.

Fix: Patched in version 1.18.5

:locked: Recommendations
Update immediately to version 1.18.5 or later to ensure you’re protected.

Avoid uploading or interacting with untrusted multimedia files, especially .m3u.

Be cautious with drag-and-drop actions in the Web UI involving unknown files.

1 Like