Vulnerability Description
Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd5821511
- https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7
FAQ
What is CVE-2025-64184?
CVE-2025-64184 is a vulnerability with a CVSS score of 8.8 (HIGH). Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, imag...
How severe is CVE-2025-64184?
CVE-2025-64184 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64184?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.