CVE-2025-27142
Published: 25 February 2025
Summary
CVE-2025-27142 is a medium-severity Path Traversal (CWE-22) vulnerability in Localsend Localsend. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 10.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
LocalSend is an open-source file-sharing application that operates over local networks. Prior to version 1.17.0, the endpoints POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload failed to sanitize supplied file paths, exposing a path traversal flaw (CWE-22). An attacker able to reach these endpoints could therefore cause the application to write files to arbitrary locations on the host filesystem.
Because LocalSend is designed for nearby devices, any adjacent-network actor can submit a crafted upload request that places executables in sensitive directories such as the Windows Startup folder or Linux shell configuration files. When the Quick Save feature is enabled, the write occurs without user interaction, resulting in remote command execution with the privileges of the LocalSend process. The CVSS 4.0 score of 6.3 reflects the adjacent-network attack vector combined with high impact on confidentiality, integrity, and availability.
The project’s security advisory GHSA-f7jp-p6j4-3522 and the corresponding commit e8635204ec782ded45bc7d698deb60f3c4105687 state that the issue is resolved in version 1.17.0; users should upgrade to obtain the path-sanitization fix. The associated EPSS score rose from lower values to a peak of 0.0859 on 2026-04-08 before receding to the current 0.0465, indicating a measurable increase in exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5325
Vulnerability details
LocalSend is a free, open-source app that allows users to securely share files and messages with nearby devices over their local network without needing an internet connection. Prior to version 1.17.0, due to the missing sanitization of the path in…
more
the `POST /api/localsend/v2/prepare-upload` and the `POST /api/localsend/v2/upload` endpoint, a malicious file transfer request can write files to the arbitrary location on the system, resulting in the remote command execution. A malicious file transfer request sent by nearby devices can write files into an arbitrary directory. This usually allows command execution via the startup folder on Windows or Bash-related files on Linux. If the user enables the `Quick Save` feature, it will silently write files without explicit user interaction. Version 1.17.0 fixes this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in upload endpoints allows arbitrary file writes via the exposed local network API, directly enabling exploitation of the remote service (T1210) to place malicious payloads in Windows startup folders (T1547.001) or Linux Bash configuration directories (T1546.004) for RCE.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation and sanitization of path parameters in the prepare-upload and upload endpoints to block path traversal sequences leading to arbitrary file writes.
Requires timely flaw remediation through patching to version 1.17.0, which implements proper path sanitization to eliminate the vulnerability.
Enforces least functionality by disabling non-essential features like Quick Save, preventing silent arbitrary file writes without user interaction.