CVE-2025-27142
Published: 25 February 2025
Summary
CVE-2025-27142 is a high-severity Path Traversal (CWE-22) vulnerability in Localsend Localsend. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 10.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation and sanitization of path parameters in the prepare-upload and upload endpoints to block path traversal sequences leading to arbitrary file writes.
Requires timely flaw remediation through patching to version 1.17.0, which implements proper path sanitization to eliminate the vulnerability.
Enforces least functionality by disabling non-essential features like Quick Save, preventing silent arbitrary file writes without user interaction.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in upload endpoints allows arbitrary file writes via the exposed local network API, directly enabling exploitation of the remote service (T1210) to place malicious payloads in Windows startup folders (T1547.001) or Linux Bash configuration directories (T1546.004) for RCE.
NVD Description
LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in…
more
the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.
Deeper analysisAI
CVE-2025-27142 is a path traversal vulnerability (CWE-22) in LocalSend, a free open-source cross-platform app for sharing files and messages over local networks without internet. Affecting versions prior to 1.17.0, the flaw stems from inadequate path sanitization in the POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload endpoints, enabling attackers to write files to arbitrary system locations. This can facilitate remote command execution, such as by placing malicious files in Windows startup folders or Linux Bash-related directories. The issue carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Attackers on the adjacent network (AV:A) can exploit this without authentication (PR:N) by sending a crafted file transfer request from a nearby device. If the victim has Quick Save enabled, files are written silently without user interaction (UI:N), allowing arbitrary file placement that leads to command execution upon system events like reboots or logins. No elevated privileges are required, making it accessible to unauthenticated nearby adversaries.
The LocalSend security advisory (GHSA-f7jp-p6j4-3522) and fixing commit (e8635204ec782ded45bc7d698deb60f3c4105687) confirm that upgrading to version 1.17.0 resolves the vulnerability through proper path sanitization in the affected endpoints. Security practitioners should advise users to update immediately and disable Quick Save until patched.
Details
- CWE(s)