CVE-2025-48050
📋 TL;DR
This vulnerability in DOMPurify's development helper script allows path traversal attacks when the server.js script is manually started. It affects developers using DOMPurify versions through 3.2.5 before commit 6bc6d60. The supplier disputes the significance since this only affects a manually-started development script.
💻 Affected Systems
- DOMPurify
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker could read arbitrary files from the server's filesystem, potentially accessing sensitive configuration files, source code, or credentials.
Likely Case
Limited impact since this only affects a development helper script that must be manually started and isn't part of production deployments.
If Mitigated
No impact if the vulnerable script is not used or if proper path validation is implemented.
🎯 Exploit Status
Exploitation requires the vulnerable development server to be manually started and accessible to an attacker.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Commit 6bc6d60 and later
Vendor Advisory: https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f27a4022181b7d8a5b0721fd534
Restart Required: Yes
Instructions:
1. Update DOMPurify to version after commit 6bc6d60
2. If using npm: 'npm update dompurify'
3. Restart any development servers using the scripts/server.js helper
🔧 Temporary Workarounds
Disable development server
allDo not use or start the vulnerable scripts/server.js development helper
Manual path validation
allAdd path validation before using the server.js script
// Add path validation in scripts/server.js
const path = require('path');
const requestedPath = path.resolve(__dirname, userInput);
if (!requestedPath.startsWith(process.cwd())) {
throw new Error('Path traversal attempt');
}
🧯 If You Can't Patch
- Do not use the scripts/server.js development helper script
- Ensure development servers are not accessible from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check if using DOMPurify version 3.2.5 or earlier and if scripts/server.js exists in the codebaseCheck Version:
npm list dompurify | grep dompurifyVerify Fix Applied:
Verify DOMPurify version is after commit 6bc6d60 or check that scripts/server.js includes path validation📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from development server
- Path traversal attempts in server logs
Network Indicators:
- Requests to development server with ../ patterns in URLs
SIEM Query:
source="development_server.log" AND ("../" OR "..\\" OR "%2e%2e%2f")🔗 References
- https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f27a4022181b7d8a5b0721fd534
- https://github.com/cure53/DOMPurify/pull/1101
- https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md
- https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060
- https://github.com/cure53/DOMPurify/pull/1101
