Miggo Logo
Miggo Vulnerability Database
CVE-2025-64184

CVE-2025-64184: Dosage vulnerable to a Directory Traversal through crafted HTTP responses

8.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-64184
GHSA ID
GHSA-4vcx-3pj3-44m7
EPSS Score
-
CWE
CWE-22
Published
11/4/2025
Updated
11/4/2025
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dosagepip< 3.23.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic path traversal issue located in the dosagelib/comic.py file. The analysis of the commit 336a9684191604bc49eed7296b74bd582151181e clearly shows the vulnerable code and the corresponding fix. The ComicPage.connect function was identified as the vulnerable function because it is responsible for handling the HTTP response and constructing the filename for the downloaded image. Specifically, the code that processes the Content-Type header was flawed. It would take the subtype from the header and directly use it as part of the file extension. This allowed an attacker to inject path traversal sequences (../) into the filename via a malicious Content-Type header. The patch mitigates this by replacing the unsafe string manipulation with a call to mimetypes.guess_extension, which provides a safe way to map a MIME type to a file extension. Therefore, any runtime profile of an exploitation attempt would show the ComicPage.connect function in the stack trace.

Vulnerable functions

ComicPage.connect
dosagelib/comic.py
The `connect` method in the `ComicPage` class processes the `Content-Type` header from an HTTP response to determine the file extension for a downloaded comic image. The vulnerability exists because the code splits the `Content-Type` header value at the '/' character and uses the second part (the subtype) directly to construct the file extension. A malicious server or a man-in-the-middle attacker could provide a crafted `Content-Type` header containing directory traversal characters (e.g., `image/../evil.sh`). The code would then incorrectly create a file extension like `../evil.sh`, allowing an attacker to write a file outside of the intended comic directory. The patch fixes this by using the `mimetypes.guess_extension` function, which safely determines a file extension from a mime type, preventing the path traversal.

WAF Protection Rules

WAF Rule

### Imp**t W**n *ownlo**in*in* *omi* im***s, *os*** *onstru*ts t*r**t *il* n*m*s *rom *i***r*nt *sp**ts o* t** r*mot* *omi* (p*** URL, im*** URL, p*** *ont*nt, *t*.). W*il* t** **s*n*m* is prop*rly stripp** o* *ir**tory-tr*v*rsin* ***r**t*rs, t** *i

Reasoning

T** vuln*r**ility is * *l*ssi* p*t* tr*v*rs*l issu* lo**t** in t** `*os***li*/*omi*.py` *il*. T** *n*lysis o* t** *ommit `****************************************` *l**rly s*ows t** vuln*r**l* *o** *n* t** *orr*spon*in* *ix. T** `*omi*P***.*onn**t` *