CVE-2025-27142 – LocalSend versions before 1.17.0 have a path tr... (How to Fix)

Q: What is the severity of CVE-2025-27142?

CVE-2025-27142 has a CVSS score of 8.8 (HIGH). LocalSend versions before 1.17.0 have a path traversal vulnerability in file upload endpoints that allows attackers to write files to arbitrary locations on the system. This can lead to remote command execution by placing malicious files in startup folders or bash-related directories. All users running vulnerable versions with the Quick Save feature enabled are at risk.

📋 TL;DR

LocalSend versions before 1.17.0 have a path traversal vulnerability in file upload endpoints that allows attackers to write files to arbitrary locations on the system. This can lead to remote command execution by placing malicious files in startup folders or bash-related directories. All users running vulnerable versions with the Quick Save feature enabled are at risk.

💻 Affected Systems

Products:

LocalSend

Versions: All versions before 1.17.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ✅ No

Notes: Quick Save feature must be enabled for silent exploitation; otherwise user interaction is required.

📦 What is this software?

Localsend by Localsend

View all CVEs affecting Localsend →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attacker to install malware, steal data, or create persistent backdoors.

🟠

Likely Case

File system corruption, data loss, or malware installation through malicious files written to sensitive locations.

🟢

If Mitigated

Limited to denial of service if file writes are blocked or contained.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires attacker to be on same local network and user to accept file transfer (unless Quick Save enabled).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.17.0

Vendor Advisory: https://github.com/localsend/localsend/security/advisories/GHSA-f7jp-p6j4-3522

Restart Required: No

Instructions:

1. Download LocalSend version 1.17.0 or later from official sources. 2. Install the update. 3. Verify version is 1.17.0 or higher.

🔧 Temporary Workarounds

Disable Quick Save

all

Prevents silent file writes without user interaction.

Open LocalSend settings and disable 'Quick Save' feature

Network Segmentation

all

Isolate LocalSend devices from untrusted networks.

🧯 If You Can't Patch

Disable LocalSend service completely
Implement strict firewall rules to block LocalSend traffic from untrusted devices

🔍 How to Verify

Check if Vulnerable:

Check LocalSend version in application settings or about dialog.

Check Version:

On Linux: localsend --version (if CLI available) or check GUI about dialog

Verify Fix Applied:

Confirm version is 1.17.0 or higher in application settings.

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations to system directories
Multiple failed upload attempts with suspicious paths

Network Indicators:

POST requests to /api/localsend/v2/prepare-upload or /api/localsend/v2/upload with path traversal patterns

SIEM Query:

source="localsend.log" AND (path="..\\" OR path="../" OR path="%2e%2e%2f")

📊 Metadata

CVE ID: CVE-2025-27142

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-22

EPSS Score: 0.49% exploit probability (64.8th percentile)

Published: February 25, 2025

Last Updated: February 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-27142, you might also want to check these: