CVE-2025-54796: 
Python vulnerability analysis and mitigation

Copyparty, a portable file server, was found to contain a vulnerability (CVE-2025-54796) in versions prior to 1.18.9. The vulnerability exists in the filter parameter for the "Recent Uploads" page, which allows arbitrary RegExes. When this feature is enabled (which is the default configuration), an attacker can craft a filter that causes the server to deadlock. The vulnerability was discovered and reported by geraldino2, and was publicly disclosed on August 1, 2025 (GitHub Advisory).

The vulnerability is classified as a Regex Denial of Service (ReDoS) attack with a CVSS v3.1 base score of 7.5 (High). The attack vector is Network (N), with Low attack complexity (L), requiring No privileges (N), and No user interaction (UI). The vulnerability allows an attacker to exploit the server by sending a crafted filter parameter to the Recent Uploads page. A proof of concept demonstrates the attack using the URL pattern 'https://127.0.0.1:3923/?ru&filter=(.+)+x' (GitHub Advisory).

When successfully exploited, the vulnerability causes the server to become completely inaccessible for an extended period. The attack affects the availability of the system while leaving confidentiality and integrity intact, as indicated by the CVSS metrics showing High impact on Availability but No impact on Confidentiality and Integrity (GitHub Advisory).

The vulnerability has been fixed in version 1.18.9 of Copyparty. The fix involves changing the filter functionality from being regex-based to only supporting bare-minimum anchoring (^foo bar$). Users are strongly advised to upgrade to version 1.18.9 or later to protect against this vulnerability (GitHub Commit, GitHub Release).