CVE-2025-48050 β€” Path Traversal: '../filedir' in Dompurify

CWE-24 β€” Path Traversal: '../filedir'5 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.4%
top 39.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Cure53 Dompurify
Timeline
PublishedMay 15

Description

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:NExploitability: 2.2 | Impact: 4.7

Affected Packages1 packages

β–ΆCVEListV5cure53/dompurify3.2.5

πŸ”΄Vulnerability Details

3
GHSA
GHSA-5h64-37wc-rj27: In DOMPurify through 3β†—2025-05-15
β–Ά
CVEList
CVE-2025-48050: In DOMPurify through 3β†—2025-05-15
β–Ά
OSV
CVE-2025-48050: In DOMPurify through 3β†—2025-05-15
β–Ά

πŸ“‹Vendor Advisories

1
Debian
CVE-2025-48050: node-dompurify - In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure tha...β†—2025
β–Ά
CVE-2025-48050 β€” Path Traversal: '../filedir' | cvebase