mammoth
修正版
1.11.0
1.11.0
1.11.0
CVE-2025-11849 describes a critical Directory Traversal vulnerability discovered in the Mammoth library, a .docx to HTML converter for .NET. This flaw allows attackers to potentially read arbitrary files on the server by crafting malicious Microsoft Word (.docx) documents. Versions of Mammoth prior to 1.11.0 are affected, and a fix has been released in version 1.11.0.
An attacker can exploit this vulnerability by uploading a specially crafted .docx file containing an image with an external link (r:link attribute). Mammoth, lacking proper path validation, will resolve this URI to a file path on the server. The content of this file is then read, encoded as base64, and included in the HTML output as a data URI. This effectively allows an attacker to include arbitrary files from the server within the generated HTML, potentially exposing sensitive information or enabling further malicious actions. The blast radius extends to any system processing Mammoth-generated HTML from untrusted sources.
This CVE was published on 2025-10-17. No public proof-of-concept (PoC) code has been released as of this writing. The EPSS score is pending evaluation, but the CRITICAL CVSS score suggests a high probability of exploitation if the vulnerability is exposed. It is not currently listed on the CISA KEV catalog.
Applications and systems that utilize the Mammoth library to convert .docx files to HTML are at risk. This includes content management systems, document processing tools, and any custom applications that integrate Mammoth for document rendering. Shared hosting environments where multiple users upload .docx files are particularly vulnerable.
• .NET / dotnet: Monitor for unusual file access attempts within the Mammoth processing pipeline. Use performance counters to detect excessive file reads.
Get-Process -Name mammoth | Select-Object -ExpandProperty CPU -TimeSpan 00:00:01• generic web: Examine web server access logs for requests containing suspicious file paths in the .docx content.
grep 'file:///etc/passwd' /var/log/apache2/access.logdisclosure
エクスプロイト状況
EPSS
0.20% (42% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation is to upgrade to Mammoth version 1.11.0 or later, which includes the necessary path validation to prevent directory traversal. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file paths within the .docx content. Additionally, carefully sanitize any user-uploaded .docx files before processing them with Mammoth. There are no specific Sigma or YARA rules available at this time, but monitoring for unusual file access patterns on the server is recommended.
Actualice el paquete mammoth a la versión 1.11.0 o superior. Esto corregirá la vulnerabilidad de recorrido de directorios. Puede actualizar el paquete usando npm o yarn según corresponda.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-11849 is a CRITICAL vulnerability in Mammoth, a .docx to HTML converter, allowing attackers to potentially read arbitrary files by crafting malicious .docx documents.
You are affected if you are using Mammoth versions prior to 1.11.0. Carefully assess your dependencies and update accordingly.
Upgrade to Mammoth version 1.11.0 or later to remediate the vulnerability. If an immediate upgrade is not possible, implement WAF rules and sanitize user-uploaded .docx files.
As of now, there is no confirmed active exploitation of CVE-2025-11849, but the CRITICAL severity warrants immediate attention and mitigation.
Refer to the official Mammoth project repository and related security advisories for the latest information and updates regarding CVE-2025-11849.
packages.lock.json ファイルをアップロードすると、影響の有無を即座にお知らせします。