8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64184

GHSA ID

GHSA-4vcx-3pj3-44m7

EPSS Score

CWE

CWE-22

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-64184

CVE-2025-64184: Dosage vulnerable to a Directory Traversal through crafted HTTP responses

Impact

When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met).

Patches

Fixed in release 3.2. The fix is small and self-contained, so distributors might elect to backport the fix to older versions.

Workarounds

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-64184

CVE-2025-64184:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-64184

GHSA ID

GHSA-4vcx-3pj3-44m7

EPSS Score

CWE

CWE-22

Published

11/4/2025

Updated

11/4/2025

KEV Status

Technology

Python

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dosage	pip	< 3.2	3.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a classic path traversal issue located in the dosagelib/comic.py file. The analysis of the commit 336a9684191604bc49eed7296b74bd582151181e clearly shows the vulnerable code and the corresponding fix. The ComicPage.connect function was identified as the vulnerable function because it is responsible for handling the HTTP response and constructing the filename for the downloaded image. Specifically, the code that processes the Content-Type header was flawed. It would take the subtype from the header and directly use it as part of the file extension. This allowed an attacker to inject path traversal sequences (../) into the filename via a malicious Content-Type header. The patch mitigates this by replacing the unsafe string manipulation with a call to mimetypes.guess_extension, which provides a safe way to map a MIME type to a file extension. Therefore, any runtime profile of an exploitation attempt would show the ComicPage.connect function in the stack trace.

Vulnerable functions

ComicPage.connect

dosagelib/comic.py

The `connect` method in the `ComicPage` class processes the `Content-Type` header from an HTTP response to determine the file extension for a downloaded comic image. The vulnerability exists because the code splits the `Content-Type` header value at the '/' character and uses the second part (the subtype) directly to construct the file extension. A malicious server or a man-in-the-middle attacker could provide a crafted `Content-Type` header containing directory traversal characters (e.g., `image/../evil.sh`). The code would then incorrectly create a file extension like `../evil.sh`, allowing an attacker to write a file outside of the intended comic directory. The patch fixes this by using the `mimetypes.guess_extension` function, which safely determines a file extension from a mime type, preventing the path traversal.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-64184: Dosage vulnerable to a Directory Traversal through crafted HTTP responses

Impact

Patches

Workarounds

CVE-2025-64184:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

Technical Details

CVE-2025-64184: Dosage vulnerable to a Directory Traversal through crafted HTTP responses

Impact

Patches

Workarounds

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI