GHSA-4vcx-3pj3-44m7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-4vcx-3pj3-44m7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/11/GHSA-4vcx-3pj3-44m7/GHSA-4vcx-3pj3-44m7.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-4vcx-3pj3-44m7
- Aliases
- Published
- 2025-11-04T15:31:48Z
- Modified
- 2025-11-07T17:27:11.297715Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- Dosage vulnerable to a Directory Traversal through crafted HTTP responses
- Details
-
Impact
When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP
Content-Typeheader. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met).Patches
Fixed in release 3.2. The fix is small and self-contained, so distributors might elect to backport the fix to older versions.
Workarounds
No
- Database specific
{ "severity": "HIGH", "cwe_ids": [ "CWE-22" ], "github_reviewed_at": "2025-11-04T15:31:48Z", "nvd_published_at": "2025-11-07T04:15:46Z", "github_reviewed": true }- References
Affected packages
PyPI / dosage
Package
- Name
- dosage
- View open source insights on deps.dev
- Purl
- pkg:pypi/dosage