Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-54589 PoC — copyparty Reflected XSS via Filter Parameter

Source
https://github.com/byteReaper77/CVE-2025-54589
Associated Vulnerability
Title:copyparty Reflected XSS via Filter Parameter (CVE-2025-54589)
Description:Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at `/?ru`, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a `<script>` block without proper escaping, allowing for reflected Cross-Site Scripting (XSS) and can be exploited against both authenticated and unauthenticated users. This is fixed in version 1.18.7.
Description
PoC for CVE-2025-54589 – a reflected XSS vulnerability in Copyparty ≤ 1.18.6.
Readme
# CVE-2025-54589 – Copyparty Reflected XSS 
**Author:** Byte Reaper  
## Description  : 
This repository provides a Proof-of-Concept (PoC)  and simple exploit for **CVE-2025-54589**, a reflected Cross-Site Scripting (XSS) vulnerability in **Copyparty ≤ 1.18.6**.  
By injecting crafted JavaScript payloads into the `filter` parameter, this tool automates detection of the vulnerability and logs successful reflections.

## Features  :
- Supports **HTTP** and **HTTPS** targets  
- Optional custom **cookie** and **CA** file support  
- **Auto color-detection** for terminals (disable with `--no-color`)  
- **Verbose** mode for detailed request/response debug  
- **Rate-limit friendly** (configurable delay between requests)  
- Logs all results to `results.txt`  

## References  "  
- NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-54589
  

## Usage  

1. **Compile** the scanner:  
   ```
   gcc exploit.c argparse.c -o exploit -lcurl
   ./exploit -i <IP> -p <PORT> -c <COOKIES_FILE> -a <CA_FILE> -v
   ```
## Example : 
- Verbose Mode :
   ```
   ./exploit -v -i 1.1.1.1 -p 80
   ```
- disable ANSI colors :
   ```
   ./exploit -n -i 1.1.1.1 -p 443  
   ```
2 - Check results.txt for a summary of payloads and server responses.
## License : 
MIT License
File Snapshot

 [4.0K]  /data/pocs/32ff5db69027530cd13d2efb8b8a519a1b1ebda4
├── [ 13K]  exploit.c
├── [1.0K]  LICENSE
└── [1.3K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →