CVE-2025-27142

CVE-2025-27142 is a path traversal vulnerability (CWE-22) in LocalSend, a free open-source cross-platform app for sharing files and messages over local networks without internet. Affecting versions prior to 1.17.0, the flaw stems from inadequate path sanitization in the POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload endpoints, enabling attackers to write files to arbitrary system locations. This can facilitate remote command execution, such as by placing malicious files in Windows startup folders or Linux Bash-related directories. The issue carries a CVSS v3.1 base score of 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Attackers on the adjacent network (AV:A) can exploit this without authentication (PR:N) by sending a crafted file transfer request from a nearby device. If the victim has Quick Save enabled, files are written silently without user interaction (UI:N), allowing arbitrary file placement that leads to command execution upon system events like reboots or logins. No elevated privileges are required, making it accessible to unauthenticated nearby adversaries.

The LocalSend security advisory (GHSA-f7jp-p6j4-3522) and fixing commit (e8635204ec782ded45bc7d698deb60f3c4105687) confirm that upgrading to version 1.17.0 resolves the vulnerability through proper path sanitization in the affected endpoints. Security practitioners should advise users to update immediately and disable Quick Save until patched.