CVE-2025-54387
📋 TL;DR
CVE-2025-54387 is a path traversal vulnerability in IPX image optimization software that allows attackers to bypass directory restrictions and potentially access sensitive files. The vulnerability affects IPX versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0. This occurs due to improper path validation when allowed directories don't end with a path separator.
💻 Affected Systems
- IPX (image optimizer powered by sharp and svgo)
📦 What is this software?
Ipx by Unjs
Ipx by Unjs
Ipx by Unjs
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read arbitrary files from the server filesystem, potentially accessing sensitive configuration files, credentials, or source code, leading to complete system compromise.
Likely Case
Unauthorized file access leading to information disclosure of sensitive files within the server's accessible directory tree.
If Mitigated
Limited impact if proper file permissions and network segmentation are in place, restricting access to critical system files.
🎯 Exploit Status
The vulnerability is straightforward to exploit once an attacker understands the path prefix bypass technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.2, 2.1.1, or 3.1.1
Vendor Advisory: https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr
Restart Required: Yes
Instructions:
1. Identify your IPX version. 2. Update to the patched version: npm update ipx@latest or specify exact version. 3. Restart your application/service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Add trailing path separators
allEnsure all allowed directories in IPX configuration end with a path separator (e.g., '/' on Unix, '\' on Windows)
Modify IPX configuration to add trailing slashes to allowed directories
🧯 If You Can't Patch
- Implement strict file system permissions to limit IPX's access to only necessary directories
- Use network segmentation and web application firewalls to restrict access to IPX endpoints
🔍 How to Verify
Check if Vulnerable:
Check IPX version and configuration. If using affected versions and allowed directories don't end with path separators, you're vulnerable.Check Version:
npm list ipx or check package.json for IPX versionVerify Fix Applied:
Verify IPX version is 1.3.2, 2.1.1, or 3.1.1 or higher, and test path traversal attempts are properly blocked.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from IPX endpoints
- Failed path traversal attempts in application logs
Network Indicators:
- Multiple requests to IPX endpoints with varying path parameters
- Requests attempting to access files outside expected directories
SIEM Query:
source="application_logs" AND (process="ipx" OR component="ipx") AND (event="file_access" OR event="path_traversal")🔗 References
- https://github.com/unjs/ipx/commit/81693ddbfc062cc922e4e2406e8427ab4e3ad214
- https://github.com/unjs/ipx/releases/tag/v1.3.2
- https://github.com/unjs/ipx/releases/tag/v2.1.1
- https://github.com/unjs/ipx/releases/tag/v3.1.1
- https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr
- https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr
