CVE-2025-11849

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-11849

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11849.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-11849

Aliases

GHSA-rmjr-87wv-gf87

Published

2025-10-17T05:15:33.960Z

Modified

2026-04-10T05:21:41.224721Z

Severity

5.4 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:N/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

[none]

Details

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

References

Affected packages

Git / github.com/mwilliamson/mammoth.js

Affected ranges

Type

GIT

Repo

https://github.com/mwilliamson/mammoth.js

Events

Introduced

Fixed

3261fbb689a2d54c151d6be7fa653553735e5861

Introduced

Fixed

3261fbb689a2d54c151d6be7fa653553735e5861

Introduced

Fixed

3261fbb689a2d54c151d6be7fa653553735e5861

Introduced

Fixed

3261fbb689a2d54c151d6be7fa653553735e5861

Fixed

c54aaeb43a7941317c1f3c119ffa92090f988820

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.0"
        },
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.0"
        }
    ]
}

Affected versions

0.*

0.1.0

0.1.1

0.1.2

0.1.3

0.1.4

0.1.5

0.1.6

0.2.0

0.2.1

0.2.2

0.3.0

0.3.1

0.3.10

0.3.11

0.3.12

0.3.13

0.3.14

0.3.15

0.3.16

0.3.17

0.3.18

0.3.19

0.3.2

0.3.20

0.3.21

0.3.22

0.3.23

0.3.24

0.3.25

0.3.25-pre.1

0.3.26

0.3.27

0.3.28

0.3.28-pre.1

0.3.29

0.3.3

0.3.30

0.3.31

0.3.32

0.3.33

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

1.*

1.0.0

1.0.1

1.0.2

1.0.3

1.0.4

1.10.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.4.0

1.4.1

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.2

1.4.20

1.4.21

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.5.0

1.5.1

1.6.0

1.7.0

1.7.1

1.7.2

1.8.0

1.9.0

1.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-11849.json"