Path Prefix Bypass Vulnerability in IPX Image Optimizer by unjs
CVE-2025-54387

6.9MEDIUM

Key Information:

Vendor

Unjs

Status
Ipx
Vendor
CVE Published:
5 August 2025

What is CVE-2025-54387?

The IPX image optimizer, a tool utilizing sharp and svgo libraries, is susceptible to a path prefix bypass vulnerability in specific versions. This flaw occurs due to insufficient validation of paths against permitted directories, particularly when the allowed directories lack a trailing path separator. Such a design oversight allows attackers to manipulate input paths, potentially leading to unauthorized access to sensitive data. It is recommended to update to the patched versions of IPX to mitigate this risk.

Affected Version(s)

ipx < 1.3.2 < 1.3.2

ipx >= 2.0.0-0, < 2.1.1 < 2.0.0-0, 2.1.1

ipx >= 3.0.0, < 3.1.1 < 3.0.0, 3.1.1

References

https://github.com/unjs/ipx/security/advisories/GHSA-mm3p...
x_refsource_CONFIRM
https://github.com/unjs/ipx/commit/81693ddbfc062cc922e4e2...
x_refsource_MISC
https://github.com/unjs/ipx/releases/tag/v1.3.2
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.