•
HIGH Severity
CVE-2025-48050
Pathname under the current working directory is not ensured in DOMPurify before 6bc6d60
Overview
The vulnerability CVE-2025-48050 resides in DOMPurify before 6bc6d60 where scripts/server.js does not ensure that pathname is located under the current working directory, leading to potential security threats.
Technical Details
The flaw lies within scripts/server.js as it doesn't ensure that a pathname is under the current working directory. This opens avenues for potential unauthorized breaches or data exposure.
CVSS Metrics
- Attack Vector: NETWORK
- Attack Complexity: HIGH
- User Interaction: NONE
- Confidentiality Impact: HIGH
- Integrity Impact: LOW
- Availability Impact: NONE
- Base Severity: HIGH
Impact
This issue can lead to unauthorized access and potential data leaks.
Recommendations
To mitigate this vulnerability, update the DOMPurify to version 6bc6d60 or later.
Threat Metrics
- "cvss_score": 7.5
- "severity": "HIGH"
- "attack_vector": "NETWORK"
- "attack_complexity": "HIGH"