CVE-2025-27142: LocalSend (up to v1.16.9) Arbitrary File Write and Remote Command Execution Vulnerability

LocalSend, a popular free and open-source application, allows users to securely share files and messages with other devices without requiring an internet connection. This is achieved by using the local network to establish connections and transfer data. However, prior to version 1.17., a serious vulnerability was discovered that could potentially lead to remote command execution.

Vulnerability Details

The vulnerability (CVE-2025-27142) exists due to insufficient path sanitization in the POST /api/localsend/v2/prepare-upload and the POST /api/localsend/v2/upload endpoints of the application prior to version 1.17.. This oversight allows a malicious file transfer request to write files to arbitrary locations on the victim's system, potentially leading to remote command execution.

Exploitation of this vulnerability typically involves writing files to specific directories that automatically execute commands, such as the startup folder on Windows or Bash-related files on Linux systems. Furthermore, if a user has the Quick Save feature enabled, files may be written silently without any explicit user interaction, making the exploit even more dangerous.

A possible malicious file transfer request might look like the following

POST /api/localsend/v2/prepare-upload HTTP/1.1
Content-Type: application/json
Host: target-ip-or-domain.com

{
  "fileName": "../../../../../../../full-path/command-script",
  "fileSize": file-size-integer
}

And the corresponding request to upload the file

POST /api/localsend/v2/upload HTTP/1.1
Content-Type: multipart/form-data; boundary=--customboundary
Host: target-ip-or-domain.com

----customboundary
Content-Disposition: form-data; name="file"; filename="../../../../../../../full-path/command-script"

malicious-file-content
----customboundary--

Affected Versions

All LocalSend versions up to and including 1.16.9 are affected by this vulnerability.

Fixed Version

This issue has been addressed in LocalSend version 1.17.. Users are urged to update to this latest version to mitigate the risk associated with this vulnerability.

You can find more information about CVE-2025-27142 and the related fix in the following resources

1. LocalSend GitHub Repository
2. CVE-2025-27142 Vulnerability Details
3. LocalSend Official Changelog

Conclusion

CVE-2025-27142 represents a critical vulnerability in the LocalSend application that could enable arbitrary file writes and remote command execution on affected systems. Users are strongly advised to update their LocalSend installations to version 1.17. or higher to protect themselves from potential exploitation.

Timeline

Published on: 02/25/2025 20:15:37 UTC
Last modified on: 02/28/2025 13:50:54 UTC