CVE-2025-27142

Name of the Vulnerable Software and Affected Versions LocalSend versions prior to 1.17.0

Description The issue arises from the missing sanitization of the path in the "POST /api/localsend/v2/prepare-upload" and "POST /api/localsend/v2/upload" endpoints, allowing a malicious file transfer request to write files to arbitrary locations on the system. This can result in remote command execution, typically via the startup folder on Windows or Bash-related files on Linux. If the Quick Save feature is enabled, files can be written silently without explicit user interaction.

Recommendations For versions prior to 1.17.0, update to version 1.17.0 to resolve the issue. As a temporary workaround, consider disabling the Quick Save feature to prevent silent file writing. Restrict access to the "POST /api/localsend/v2/prepare-upload" and "POST /api/localsend/v2/upload" endpoints to minimize the risk of exploitation.