Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2025-48050

Опубликовано: 15 мая 2025
Источник: debian
EPSS Низкий

Описание

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

Пакеты

ПакетСтатусВерсия исправленияРелизТип
node-dompurifyunfixedpackage

Примечания

  • https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md

  • https://github.com/cure53/DOMPurify/pull/1101

  • https://github.com/cure53/DOMPurify/commit/e9afd609397aa31b0747a766504f698fcb6ad0f7

  • Testserver (scripts/server.js) not installed into binary package

EPSS

Процентиль: 18%
0.00056
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2025-48050

CVSS3: 7.5
ubuntu
около 1 месяца назад

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

redhat логотип

CVE-2025-48050

CVSS3: 7.5
redhat
около 1 месяца назад

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

nvd логотип

CVE-2025-48050

CVSS3: 7.5
nvd
около 1 месяца назад

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."

github логотип

GHSA-5h64-37wc-rj27

CVSS3: 7.5
github
около 1 месяца назад

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.

EPSS

Процентиль: 18%
0.00056
Низкий