github 9001/copyparty v1.16.15
fix low-severity vuln
on GitHub

19 hours ago

⚠️ this fixes a minor vulnerability; CVE-score 3.6/10

GHSA-m2jw-cj8v-937r aka CVE-2025-27145 could let an attacker run arbitrary javascript by tricking an authenticated user into uploading files with malicious filenames

  • ...but it required some clever social engineering, and is not likely to be a cause for concern... ah, better safe than sorry

there is a discord server with an @everyone in case of future important updates, such as vulnerabilities (most recently 2025-02-25)

recent important news

  • v1.15.0 (2024-09-08) changed upload deduplication to be default-disabled
  • v1.14.3 (2024-08-30) fixed a bug that was introduced in v1.13.8 (2024-08-13); this bug could lead to data loss -- see the v1.14.3 release-notes for details

🧪 new features

  • nothing this time

🩹 bugfixes

  • fix GHSA-m2jw-cj8v-937r / CVE-2025-27145 in 438ea6c
    • when trying to upload an empty files by dragging it into the browser, the filename would be rendered as HTML, allowing javascript injection if the filename was malicious
    • issue discovered and reported by @JayPatel48 (thx!)
  • related issues in errorhandling of uploads 499ae1c 36866f1
    • these all had the same consequences as the GHSA above, but a network outage was necessary to trigger them
      • which would probably have the lucky side-effect of blocking the javascript download, nice
  • paranoid fixing of probably-not-even-issues 3adbb2f
  • fix some markdown / texteditor bugs 407531b
    • only indicate file-versions for markdown files in listings, since it's tricky to edit non-textfiles otherwise
    • CTRL-C followed by CTRL-V and CTRL-Z in a single-line file would make a character fall off
    • ensure safety of extensions

🔧 other changes

  • readme:
    • mention support for running the server on risc-v 6d102fc
    • mention that the sony psp can browse and upload 598a29a

💾 what to download?

download link is it good? description
copyparty-sfx.py ✅ the best 👍 runs anywhere! only needs python
a docker image it's ok good if you prefer docker 🐋
copyparty.exe ⚠️ acceptable for win8 or later; built-in thumbnailer
u2c.exe ⚠️ acceptable CLI uploader as a win7+ exe (video)
copyparty.pyz ⚠️ acceptable similar to the regular sfx, mostly worse
copyparty32.exe ⛔️ dangerous for win7 -- never expose to the internet!
cpp-winpe64.exe ⛔️ dangerous runs on 64bit WinPE, otherwise useless
  • except for u2c.exe, all of the options above are mostly equivalent
  • the zip and tar.gz files below are just source code
  • python packages are available at PyPI
Check out latest releases or
releases around 9001/copyparty v1.16.15

Don't miss a new copyparty release

NewReleases is sending notifications on new releases.

Get notifications