CVE-2025-64184
Dosage vulnerable to a Directory Traversal through crafted HTTP responses
Description
### Impact When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP `Content-Type` header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). ### Patches Fixed in release 3.2. The [fix is small and self-contained](https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e), so distributors might elect to backport the fix to older versions. ### Workarounds No
How to fix CVE-2025-64184
To remediate CVE-2025-64184, upgrade the affected package to a fixed version below.
- —upgrade to 3.2 or later
Is CVE-2025-64184 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |