Cyber Resilience

CVE-2025-27142

Medium

Published: 25 February 2025

Published
25 February 2025
Modified
28 February 2025
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0465 89.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27142 is a medium-severity Path Traversal (CWE-22) vulnerability in Localsend Localsend. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

LocalSend is an open-source file-sharing application that operates over local networks. Prior to version 1.17.0, the endpoints POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload failed to sanitize supplied file paths, exposing a path traversal flaw (CWE-22). An attacker able to reach these endpoints could therefore cause the application to write files to arbitrary locations on the host filesystem.

Because LocalSend is designed for nearby devices, any adjacent-network actor can submit a crafted upload request that places executables in sensitive directories such as the Windows Startup folder or Linux shell configuration files. When the Quick Save feature is enabled, the write occurs without user interaction, resulting in remote command execution with the privileges of the LocalSend process. The CVSS 4.0 score of 6.3 reflects the adjacent-network attack vector combined with high impact on confidentiality, integrity, and availability.

The project’s security advisory GHSA-f7jp-p6j4-3522 and the corresponding commit e8635204ec782ded45bc7d698deb60f3c4105687 state that the issue is resolved in version 1.17.0; users should upgrade to obtain the path-sanitization fix. The associated EPSS score rose from lower values to a peak of 0.0859 on 2026-04-08 before receding to the current 0.0465, indicating a measurable increase in exploitation interest after disclosure.

EU & UK References

Vulnerability details

LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in…

more

the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1547.001 Registry Run Keys / Startup Folder Persistence
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key.
T1546.004 Unix Shell Configuration Modification Privilege Escalation
Adversaries may establish persistence through executing malicious commands triggered by a user’s shell.
Why these techniques?

Path traversal in upload endpoints allows arbitrary file writes via the exposed local network API, directly enabling exploitation of the remote service (T1210) to place malicious payloads in Windows startup folders (T1547.001) or Linux Bash configuration directories (T1546.004) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-39973Shared CWE-22
CVE-2025-40549Shared CWE-22
CVE-2026-32116Shared CWE-22
CVE-2025-40898Shared CWE-22
CVE-2026-20613Shared CWE-22
CVE-2026-25635Shared CWE-22
CVE-2026-22661Shared CWE-22
CVE-2026-26064Shared CWE-22
CVE-2025-11531Shared CWE-22
CVE-2026-40024Shared CWE-22

Affected Assets

localsend
localsend
≤ 1.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates validation and sanitization of path parameters in the prepare-upload and upload endpoints to block path traversal sequences leading to arbitrary file writes.

prevent

Requires timely flaw remediation through patching to version 1.17.0, which implements proper path sanitization to eliminate the vulnerability.

prevent

Enforces least functionality by disabling non-essential features like Quick Save, preventing silent arbitrary file writes without user interaction.

References