CVE-2025-64184
📋 TL;DR
This vulnerability in Dosage comic downloader allows remote attackers to write arbitrary files outside the target directory by manipulating HTTP Content-Type headers. Attackers can exploit this via malicious comic servers or man-in-the-middle attacks when downloading over HTTP. Users of Dosage versions 3.1 and below are affected.
💻 Affected Systems
- Dosage comic strip downloader
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via arbitrary file write leading to remote code execution, data theft, or system destruction.
Likely Case
Local file system corruption, data loss, or privilege escalation through crafted file writes.
If Mitigated
Limited to denial of service or minor file system issues if proper file permissions and network segmentation are in place.
🎯 Exploit Status
Exploitation requires attacker to control comic server or intercept HTTP traffic. No authentication needed for basic file write.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2
Vendor Advisory: https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7
Restart Required: No
Instructions:
1. Stop using Dosage. 2. Upgrade to version 3.2 using pip: 'pip install --upgrade dosage==3.2'. 3. Verify installation with 'dosage --version'.
🔧 Temporary Workarounds
Use HTTPS-only comic sources
allOnly download comics from trusted sources over HTTPS to prevent man-in-the-middle attacks.
Run Dosage in restricted environment
linuxExecute Dosage with minimal privileges and in isolated directories using chroot or containers.
docker run --read-only -v /safe/path:/data dosage
🧯 If You Can't Patch
- Discontinue use of Dosage until patched
- Only download comics from trusted, verified sources over HTTPS
🔍 How to Verify
Check if Vulnerable:
Check Dosage version with 'dosage --version'. If version is 3.1 or lower, system is vulnerable.Check Version:
dosage --versionVerify Fix Applied:
After upgrade, run 'dosage --version' and confirm version is 3.2 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual file writes outside comic download directory
- Errors from Dosage about file path validation
Network Indicators:
- HTTP traffic to comic servers with manipulated Content-Type headers
SIEM Query:
process.name='dosage' AND file.path NOT CONTAINS '/expected/download/directory/'