CVE-2025-27145: 
Python vulnerability analysis and mitigation

A DOM-based cross-site scripting (XSS) vulnerability was discovered in copyparty, a portable file server, affecting versions prior to 1.16.15. The vulnerability was discovered and reported by JayPatel48 and was assigned CVE-2025-27145. The issue was disclosed on February 25, 2025, and has been patched in version 1.16.15 (GitHub Advisory).

The vulnerability is triggered when a user attempts to drag and drop an empty (zero bytes) file with a maliciously crafted filename into copyparty's Web-UI. The issue occurs because filenames were rendered as unsanitized HTML in the message box during the upload process, allowing for arbitrary JavaScript execution. The vulnerability has been assigned a CVSS v3.1 base score of 3.6 (Low) with the vector string CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N (GitHub Advisory).

If successfully exploited, the vulnerability allows an attacker to execute arbitrary JavaScript code with the same privileges as the user performing the upload action. This could potentially lead to unauthorized access to files owned by the affected user. The impact is considered low due to the attack complexity and required user interaction (GitHub Advisory).

The vulnerability has been fixed in copyparty version 1.16.15 by properly escaping filenames before rendering them in the message box. Users are advised to upgrade to this version or later to address the vulnerability (GitHub Release).

The vulnerability was considered low-risk, and the project maintainers noted that while the vulnerability could allow JavaScript execution during the upload process, it was distinct from the intentional functionality that allows HTML files with JavaScript to be uploaded and executed when opened (GitHub Release).