CVE-2025-58753 is a medium-severity vulnerability affecting versions of the 9001 project's copyparty file server prior to version 1.19.8. Copyparty is a portable file server designed to share files over a network. The vulnerability arises from a missing authorization check in the 'shares' feature, specifically related to the 'shr' global option. When a user creates a share for a single file inside a folder, the system fails to properly enforce permission checks on sibling files within the same folder. This allows an attacker with at least limited privileges (PR:L - privileges required) to access other files in that folder by guessing their filenames, even though they were not explicitly shared. The vulnerability does not allow traversal into subdirectories, nor does it affect files or directories protected by filekeys or dirkeys, which are presumably additional security mechanisms in copyparty. The CVSS 4.0 vector indicates the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), no authentication (AT:N), and no user interaction (UI:N). However, the vector also indicates a privilege requirement (PR:L), meaning the attacker must have some level of access to the system or service. The impact is limited to confidentiality (VC:L) with no impact on integrity or availability. No known exploits are reported in the wild as of the publication date. The issue was addressed in version 1.19.8 by adding the missing permission checks to prevent unauthorized access to sibling files within shared folders.

For European organizations using copyparty as a file-sharing solution, this vulnerability could lead to unauthorized disclosure of sensitive files stored alongside legitimately shared files. Since the vulnerability allows access to sibling files by guessing filenames, confidential or sensitive data could be exposed without proper authorization. This is particularly concerning for organizations handling personal data under GDPR, intellectual property, or other regulated information. Although the vulnerability does not allow access to subdirectories or files protected by additional keys, the exposure of sibling files could still result in data breaches. The requirement for some privilege level reduces the risk from external attackers but insider threats or compromised accounts could exploit this vulnerability. The lack of user interaction and remote network attack vector means exploitation could be automated once access is gained. The medium severity reflects the limited scope of impact but still significant confidentiality risk. Organizations in sectors such as finance, healthcare, legal, and government in Europe that use copyparty for file sharing should be particularly vigilant.

1. Upgrade copyparty installations to version 1.19.8 or later immediately to ensure the missing authorization checks are in place. 2. Review and restrict user privileges to the minimum necessary to reduce the risk of an attacker having the required privilege level to exploit this vulnerability. 3. Implement strong filename policies and avoid predictable or guessable filenames in shared folders to reduce the risk of unauthorized access by guessing. 4. Monitor access logs for unusual or repeated access attempts to sibling files that were not explicitly shared. 5. If possible, use filekeys or dirkeys to protect sensitive files and directories, as these are not affected by this vulnerability. 6. Conduct regular security audits and penetration tests focusing on file-sharing services to detect similar authorization issues. 7. Educate users about the risks of sharing files and the importance of proper permissions and naming conventions.