Directory Traversal Vulnerability in DOMPurify Affects Software from Cure53
CVE-2025-48050

7.5HIGH

Key Information:

Vendor: Cure53
Status: Dompurify
Vendor: CVE Published:; 15 May 2025

What is CVE-2025-48050?

A directory traversal vulnerability has been identified in the DOMPurify library, specifically in versions prior to 3.2.5. This vulnerability occurs because the library's scripts/server.js does not adequately validate pathnames, allowing unauthorized access to files outside the intended directory. Attackers could exploit this weakness to manipulate server requests, leading to potential data exposure or manipulation. It is crucial for users of DOMPurify to update to the latest version to mitigate these associated security risks.

Affected Version(s)

DOMPurify 0 <= 3.2.5

References

https://github.com/odaysec/advisory/blob/main/cure53/DOMP...

https://github.com/cure53/DOMPurify/pull/1101

https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2025
Vulnerability Reserved
May 15, 2025

CVE-2025-48050 Data

JSON