GHSA-67rw-2x62-mqqmLow
Copyparty ftp/sftp: Sharing a single file did not fully restrict source-folder access
🔗 CVE IDs covered (1)
📋 Description
There was a missing permission-check in the shares feature (the shr global-option).
This vulnerability only applies in the following scenario:
- The shares feature is used for the specific purpose of creating a share of just a single file inside a folder
- Either the FTP or SFTP server is enabled, and also made publically accessible
- If a share is password-protected, then SFTP was not vulnerable unless the
sftp-pwglobal-option was also enabled
- If a share is password-protected, then SFTP was not vulnerable unless the
Given these conditions, when a user is browsing a share through either FTP or SFTP (not http or https), they can gain read-access to the remaining files inside the shared folder by guessing/bruteforcing the filenames.
It was not possible to descend into subdirectories in this manner; only the sibling files were accessible.
This issue did not affect filekeys or dirkeys.
This vulnerability is CVE-2025-58753 which was previously fixed for HTTP and HTTPS, but not for FTP. The FTPS server did not yet exist at that time.
🎯 Affected products1
- pip/copyparty:< 1.20.12