CVE-2025-27142

HIGH

LocalSend < 1.17.0 - Path Traversal and Remote Code Execution via Prepare-Upload and Upload Endpoints

Title source: llm

Description

LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/localsend/localsend/security/advisories/GHSA-f7jp-p6j4-3522

Patch x_refsource_misc

https://github.com/localsend/localsend/commit/e8635204ec782ded45bc7d698deb60f3c4105687

View Patch ZIP pw:eip

Scores

CVSS v3 8.8

EPSS 0.0051

EPSS Percentile 39.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-22

Status published

Products (1)

localsend/localsend < 1.17.0

Published Feb 25, 2025

Tracked Since Feb 18, 2026