GHSA-4VCX-3PJ3-44M7

Vulnerability from github – Published: 2025-11-04 15:31 – Updated: 2025-11-07 16:42
VLAI?
Summary
Dosage vulnerable to a Directory Traversal through crafted HTTP responses
Details

Impact

When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met).

Patches

Fixed in release 3.2. The fix is small and self-contained, so distributors might elect to backport the fix to older versions.

Workarounds

No

Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "dosage"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-64184"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-04T15:31:48Z",
    "nvd_published_at": "2025-11-07T04:15:46Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nWhen downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP `Content-Type` header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). \n\n### Patches\n\nFixed in release 3.2. The [fix is small and self-contained](https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e), so distributors might elect to backport the fix to older versions.\n\n### Workarounds\n\nNo",
  "id": "GHSA-4vcx-3pj3-44m7",
  "modified": "2025-11-07T16:42:26Z",
  "published": "2025-11-04T15:31:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64184"
    },
    {
      "type": "WEB",
      "url": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/webcomics/dosage"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dosage vulnerable to a Directory Traversal through crafted HTTP responses"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.