CVE-2025-54423: copyparty has DOM-Based XSS vulnerability when displaying multimedia metadata

July 28, 2025 (updated July 29, 2025)

An unauthenticated attacker is able to execute arbitrary JavaScript code in a victim’s browser due to improper sanitization of multimedia tags in music files, including m3u files.

References

github.com/9001/copyparty
github.com/9001/copyparty/commit/895880aeb0be0813ddf732487596633f8f9fc3a6
github.com/9001/copyparty/releases/tag/v1.18.5
github.com/9001/copyparty/security/advisories/GHSA-9q4r-x2hj-jmvr
github.com/advisories/GHSA-9q4r-x2hj-jmvr
nvd.nist.gov/vuln/detail/CVE-2025-54423

Code Behaviors & Features

Detect and mitigate CVE-2025-54423 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →