CVE-2025-54589: 
Python vulnerability analysis and mitigation

CVE-2025-54589 affects Copyparty, a portable file server, in versions 1.18.6 and below. The vulnerability was discovered and disclosed on July 31, 2025, and involves a reflected Cross-Site Scripting (XSS) vulnerability in the recent uploads page functionality. When accessing the recent uploads page at /?ru, users can filter results using an input field that appends a filter parameter to the URL, which reflects its value directly into a script block without proper escaping (GitHub Advisory).

The vulnerability is classified as a CWE-80 (Improper Neutralization of Script-Related HTML Tags in a Web Page) and CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has been assigned a CVSS v3.1 base score of 6.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L. The vulnerability can be triggered through the filter parameter in the recent uploads page URL, allowing for the execution of arbitrary JavaScript code (GitHub Advisory).

The vulnerability affects both authenticated and unauthenticated users, enabling attackers to execute unwanted actions in the victim's browser through cross-site scripting attacks. This can lead to potential data theft, session hijacking, or other malicious activities performed in the context of the user's browser session (GitHub Advisory).

The vulnerability has been fixed in version 1.18.7 of Copyparty. Users are strongly advised to upgrade to this version to protect against potential XSS attacks. The fix involves proper escaping of the filter parameter value before it is reflected in the page (GitHub Release).

The vulnerability was responsibly disclosed and acknowledged by the Copyparty development team. The project maintainers have established a Discord server to notify users about important security updates, including this vulnerability (GitHub Release).