CVE-2025-58753 is a medium-severity vulnerability affecting copyparty, a portable file server developed by 9001. The vulnerability arises from a missing authorization check in the 'shares' feature, specifically related to the 'shr' global option, in versions prior to 1.19.8. When a share is created for a single file inside a folder, the server fails to properly enforce permission checks on sibling files within the same folder. This allows an unauthorized user to access other files in that folder by guessing their filenames. However, the vulnerability does not permit traversal into subdirectories, limiting the scope of unauthorized access to sibling files only. Additionally, filekeys and dirkeys mechanisms remain unaffected by this issue. The vulnerability is classified under CWE-862 (Missing Authorization) and CWE-552 (Files or Directories Accessible to External Parties). The CVSS v4.0 base score is 5.3, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring no authentication or user interaction, but it only results in limited confidentiality impact since only sibling files can be accessed. The issue was addressed and fixed in copyparty version 1.19.8.

For European organizations using copyparty versions prior to 1.19.8, this vulnerability could lead to unauthorized disclosure of sensitive files stored within shared folders. Although the attacker cannot access subdirectories or files protected by filekeys or dirkeys, the ability to guess and access sibling files may expose confidential or proprietary information, potentially leading to data breaches or compliance violations under regulations such as GDPR. The impact is primarily on confidentiality, with no direct effect on integrity or availability. Since exploitation requires no authentication and can be performed remotely, the risk is elevated in environments where copyparty is exposed to untrusted networks. Organizations relying on copyparty for internal or external file sharing should consider the sensitivity of data stored in shared folders and the likelihood of attackers guessing filenames. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

European organizations should promptly upgrade copyparty to version 1.19.8 or later to remediate this vulnerability. Until the upgrade is applied, administrators should avoid creating shares for individual files within folders containing sensitive sibling files or implement strict naming conventions to reduce the risk of filename guessing. Additionally, enabling and properly configuring filekeys and dirkeys can provide an extra layer of protection by restricting unauthorized access. Network-level controls such as firewall rules or VPN access should be used to limit exposure of copyparty servers to untrusted networks. Regular audits of shared folders and access logs can help detect suspicious access patterns. Organizations should also educate users about secure file sharing practices and monitor for updates from the vendor regarding any further security advisories.