Vulnerability Description
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started."
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/cure53/DOMPurify/commit/6bc6d60e49256f27a4022181b7d8a5b0721fd
- https://github.com/cure53/DOMPurify/pull/1101
- https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md
- https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060
- https://github.com/cure53/DOMPurify/pull/1101
FAQ
What is CVE-2025-48050?
CVE-2025-48050 is a vulnerability with a CVSS score of 7.5 (HIGH). In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report...
How severe is CVE-2025-48050?
CVE-2025-48050 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-48050?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.