Plattform
python
Komponente
dosage
Behoben in
3.2.1
3.2
CVE-2025-64184 describes a Directory Traversal vulnerability discovered in Dosage, a comic server written in Python. This flaw allows attackers to potentially write arbitrary files outside the intended directory, leading to potential system compromise. The vulnerability affects versions of Dosage prior to 3.1, and a fix is available in version 3.2.
The core of the vulnerability lies in how Dosage handles comic image downloads. When downloading images, the server constructs filenames based on various components of the comic, including the HTTP Content-Type header. While the basename is sanitized, the file extension is directly taken from this header. A malicious actor, or even a Man-in-the-Middle attacker intercepting HTTP traffic, can craft a request with a crafted Content-Type header to specify a file extension and path that allows them to write files outside the designated download directory. This could lead to overwriting critical configuration files, injecting malicious code, or exfiltrating sensitive data. The potential impact is significant, especially if the server is publicly accessible or handles sensitive comic content.
This vulnerability was publicly disclosed on 2025-11-04. There are currently no known public exploits or active campaigns targeting this vulnerability. The fix is relatively straightforward, suggesting a low probability of exploitation in the near term. The vulnerability's impact is contingent on the server's configuration and exposure. It is not listed on CISA KEV as of this writing.
Systems running vulnerable versions of Dosage (≤3.1) are at risk, particularly those serving comics over HTTP rather than HTTPS, making them susceptible to Man-in-the-Middle attacks. Shared hosting environments where multiple users share the same Dosage instance are also at increased risk, as an attacker could potentially exploit the vulnerability to affect other users' files.
• python / server:
# Check for vulnerable versions of Dosage
python3 -c 'import dosage; print(dosage.__version__)'• generic web:
# Check access logs for unusual file creation attempts or unexpected file extensions
grep -i 'Content-Type: image/.*' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.20% (42% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade Dosage to version 3.2 or later, which includes a fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. One approach is to strictly validate and sanitize the Content-Type header received from the client, rejecting any requests with unexpected or suspicious values. Additionally, configure your web server to restrict file write access to the designated download directory, limiting the potential damage from a successful exploit. Regularly monitor server logs for unusual file creation or modification activity. After upgrading, confirm the fix by attempting a download with a crafted Content-Type header to ensure the server no longer allows arbitrary file writes.
Actualice Dosage a la versión 3.2 o superior. Esta versión corrige la vulnerabilidad de path traversal al validar correctamente la extensión del archivo basada en el contenido en lugar de la cabecera HTTP Content-Type. Esto evitará que un atacante escriba archivos fuera del directorio deseado.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-64184 is a Directory Traversal vulnerability in Dosage Comic Server versions 3.1 and earlier, allowing attackers to potentially write arbitrary files outside the intended directory by manipulating HTTP Content-Type headers.
You are affected if you are running Dosage Comic Server version 3.1 or earlier. Upgrade to version 3.2 or later to mitigate the vulnerability.
Upgrade Dosage Comic Server to version 3.2 or later. As an interim measure, implement a WAF or proxy to filter HTTP Content-Type headers.
As of the current assessment, there are no known public exploits or active campaigns targeting CVE-2025-64184.
Refer to the official Dosage GitHub repository for updates and advisories: https://github.com/webcomics/dosage
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.