Copyparty Denial-of-Service Vulnerability in Recent Uploads Regex Filter

A denial-of-service vulnerability has been identified in Copyparty, a portable file server, in versions prior to 1.18.9. The issue arises from the 'filter' parameter on the 'Recent Uploads' page, which allows arbitrary regular expressions. When this feature is enabled, an attacker can create a filter that causes the server to deadlock, making it inaccessible for an extended period.

Impact

Exploitation of this vulnerability leads to a significant degradation of server availability, causing the server to become unresponsive for a prolonged duration.

Reproduction

To reproduce this vulnerability, access the 'Recent Uploads' page and use the 'filter' parameter to input a regular expression that creates a deadlock condition on the server. This can be done by crafting a filter that exploits the server's regex processing capabilities, such as one that matches a large volume of data or creates excessive backtracking.

Remediation

Users can upgrade to Copyparty version 1.18.9 or later, where this vulnerability has been fixed.