CVE-2025-11849
📋 TL;DR
Mammoth document conversion library versions before 1.11.0 are vulnerable to directory traversal attacks when processing DOCX files containing images with external links. Attackers can read arbitrary files on the system or cause resource exhaustion by linking to special device files. This affects all applications using vulnerable versions of mammoth.js, mammoth-java, or mammoth-dotnet.
💻 Affected Systems
- mammoth.js
- mammoth-java
- mammoth-dotnet
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via reading sensitive files like /etc/passwd, SSH keys, or configuration files, potentially leading to credential theft and lateral movement.
Likely Case
Information disclosure of sensitive files accessible to the application process, potentially including database credentials, API keys, or user data.
If Mitigated
Limited impact if application runs with minimal privileges and file system access is properly restricted.
🎯 Exploit Status
Exploitation requires only a malicious DOCX file upload. Proof-of-concept is publicly available in the GitHub gist reference.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.0
Vendor Advisory: https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820
Restart Required: No
Instructions:
1. Update mammoth.js: npm update mammoth
2. Update mammoth-java: Update Maven/Gradle dependency to version 1.11.0+
3. Update mammoth-dotnet: Update NuGet package to version 1.11.0+
4. Test document conversion functionality after update.
🔧 Temporary Workarounds
Input validation for DOCX files
allReject DOCX files containing external image links before processing
Run with restricted permissions
linuxRun the mammoth process with minimal file system access using containerization or user restrictions
docker run --read-only -v /tmp:/tmp your-app
🧯 If You Can't Patch
- Implement strict file upload validation to reject DOCX files with external image links
- Run mammoth in a sandboxed environment with no access to sensitive files
🔍 How to Verify
Check if Vulnerable:
Check package.json for mammoth version <1.11.0, or check Maven/NuGet dependencies for versions <1.11.0Check Version:
npm list mammoth (for JS) or mvn dependency:tree | grep mammoth (for Java) or dotnet list package (for .NET)Verify Fix Applied:
Confirm mammoth version is 1.11.0 or higher in package.json, pom.xml, or .csproj files📡 Detection & Monitoring
Log Indicators:
- Failed file reads from unusual paths
- High memory/CPU usage during DOCX processing
- Errors reading /dev/random or /dev/zero
Network Indicators:
- Uploads of DOCX files followed by outbound data exfiltration
SIEM Query:
source="application.log" AND ("mammoth" OR "docx") AND ("error" OR "failed to read" OR "/dev/")🔗 References
- https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10
- https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820
- https://security.snyk.io/vuln/SNYK-DOTNET-MAMMOTH-13561968
- https://security.snyk.io/vuln/SNYK-JAVA-ORGZWOBBLEMAMMOTH-13561969
- https://security.snyk.io/vuln/SNYK-JS-MAMMOTH-13554470
- https://security.snyk.io/vuln/SNYK-PYTHON-MAMMOTH-13561967
- https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10
