CVE-2025-58753 Overview
CVE-2025-58753 affects Copyparty, a portable file server written in Python. Versions prior to 1.19.8 contain a missing permission check in the shares feature controlled by the shr global option. When a user creates a share for a single file within a folder, the permission boundary is not properly enforced on sibling files. An attacker with knowledge or the ability to guess filenames in the same directory can retrieve those files through the share URL. The flaw does not allow descending into subdirectories, and filekeys and dirkeys are not affected. The maintainer released version 1.19.8 to remediate the issue.
Critical Impact
Authenticated users holding a single-file share link can access unintended sibling files in the same folder, resulting in information disclosure [CWE-552].
Affected Products
- Copyparty versions prior to 1.19.8
- Deployments using the shr global option for file shares
- Single-file shares created from folders containing additional files
Discovery Timeline
- 2025-09-09 - CVE-2025-58753 published to NVD
- 2025-09-18 - Last updated in NVD database
Technical Details for CVE-2025-58753
Vulnerability Analysis
The vulnerability resides in Copyparty's share handling logic inside copyparty/authsrv.py. When a share targets a single file, the virtual file system (VFS) node representing the share did not fully constrain path resolution to that file. The canonicalization helpers used to resolve requested paths inherited behavior from the parent directory node. Requests for other filenames in the same folder resolved successfully and returned content.
The issue is a files-or-directories accessible to external parties weakness [CWE-552]. It only impacts confidentiality of sibling files; integrity and availability are not affected, and traversal into nested subdirectories is blocked by existing checks.
Root Cause
The share VFS node reused the parent directory's canonical and dcanonical methods. Without share-specific overrides, the permission check did not fence path resolution to the single shared file. Any authenticated user able to reach the share endpoint could request neighboring filenames and receive their contents.
Attack Vector
An attacker needs network access to the Copyparty instance and a valid share URL targeting a single file. The attacker substitutes the filename in the share request with guessed names of other files in the same directory. Successful requests disclose the contents of those sibling files without further authentication checks.
self.get_dbv = self._get_dbv
self.ls = self._ls
+ self.canonical = self._canonical
+ self.dcanonical = self._dcanonical
def __repr__(self) -> str:
return "VFS(%s)" % (
Source: GitHub commit e0a92ba. The patch attaches share-specific _canonical and _dcanonical resolvers to the share VFS node, fencing path resolution to the shared file.
Detection Methods for CVE-2025-58753
Indicators of Compromise
- Access log entries showing share URLs requesting multiple distinct filenames against the same share token within a short window.
- HTTP 200 responses to share endpoints for filenames other than the file originally intended for sharing.
- Unexpected outbound transfers of files located alongside legitimately shared files.
Detection Strategies
- Parse Copyparty access logs and group requests by share identifier to flag tokens that resolve to more than one filename.
- Compare requested filenames in share requests against the originally configured share target stored in Copyparty's share database.
- Alert on enumeration patterns such as sequential or dictionary-style filename guessing against share endpoints.
Monitoring Recommendations
- Enable verbose access logging on Copyparty and forward logs to a centralized log platform for correlation.
- Monitor the Copyparty process version string and alert when instances run versions older than 1.19.8.
- Track download volume per share token and trigger review when volume exceeds the size of the intended shared file.
How to Mitigate CVE-2025-58753
Immediate Actions Required
- Upgrade Copyparty to version 1.19.8 or later on every host running the service.
- Review existing shares created from folders containing sensitive sibling files and revoke any that are no longer required.
- Audit access logs for the period between share creation and patch deployment to identify potential disclosure of sibling files.
Patch Information
The fix is included in Copyparty 1.19.8, published as GitHub Release v1.19.8. The code change is documented in commit e0a92ba and the maintainer's GHSA-pxvw-4w88-6x95 advisory.
Workarounds
- Disable the shr global option until the upgrade to 1.19.8 is complete.
- Use filekeys or dirkeys instead of single-file shares, since those mechanisms are not affected by this issue.
- Place files intended for sharing in dedicated folders that contain no other content, eliminating sibling exposure.
# Verify the installed Copyparty version is at or above the fixed release
python3 -m copyparty --version
# Upgrade via pip
python3 -m pip install --upgrade 'copyparty>=1.19.8'
# Temporary mitigation: start copyparty without the shares feature
python3 -m copyparty --no-shr
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
