GHSA-67rw-2x62-mqqmLow

Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access

Published
March 12, 2026
Last Modified
June 5, 2026

🔗 CVE IDs covered (1)

📋 Description

There was a missing permission-check in the shares feature (the shr global-option).

This vulnerability only applies in the following scenario:

  • The shares feature is used for the specific purpose of creating a share of just a single file inside a folder
  • Either the FTP or SFTP server is enabled, and also made publically accessible
    • If a share is password-protected, then SFTP was not vulnerable unless the sftp-pw global-option was also enabled

Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames.

It was not possible to descend into subdirectories in this manner; only the sibling files were accessible.

This issue did not affect filekeys or dirkeys.

This vulnerability is CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time.

🎯 Affected products1

  • pip/copyparty:< 1.20.12

🔗 References (4)