CVE-2025-54796: copyparty allows Regex Denial of Service (ReDoS) in the upload listing

August 4, 2025

The filter parameter for the “Recent uploads” page allows arbitrary Regexes. If this feature is enabled (which is the default), an attacker can craft a filter which deadlocks the server.

References

github.com/9001/copyparty
github.com/9001/copyparty/commit/09910ba80784c3980947d92f45db696398c0fd83
github.com/9001/copyparty/releases/tag/v1.18.9
github.com/9001/copyparty/security/advisories/GHSA-5662-2rj7-f2v6
github.com/advisories/GHSA-5662-2rj7-f2v6
nvd.nist.gov/vuln/detail/CVE-2025-54796

Code Behaviors & Features

Detect and mitigate CVE-2025-54796 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →