CVE-2025-48050

Medienbericht

EPSS 0.09%
Veröffentlicht 15.05.2025 00:00:00
Zuletzt bearbeitet 16.05.2025 15:15:48
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 8

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerCure53

≫

Produkt DOMPurify

Default Statusunknown

Version <= 3.2.5

Version 0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.09%	0.26

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
cve@mitre.org	7.5	2.2	4.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N

CWE-24 Path Traversal: '../filedir'

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.

https://www.heise.de/news/Schwachstellen-IBM-Storage-Scale-fuer-Attacken-anfaellig-10468812.html

Medienbericht

heise Security

https://github.com/cure53/DOMPurify/pull/1101

https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f27a4022181b7d8a5b0721fd534

https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md

https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060

https://nvd.nist.gov/vuln/detail/CVE-2025-48050

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-48050

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-48050

EUVD