Cyber Resilience

CVE-2025-64184

High

Published: 07 November 2025

Published
07 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.8th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64184 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-64184 affects Dosage, an open-source comic strip downloader and archiver, in versions 3.1 and below. The vulnerability arises during the downloading of comic images, where target filenames are constructed from elements like the page URL, image URL, or page content. Although the basename is sanitized to remove directory-traversing characters, the file extension is directly derived from the HTTP Content-Type header provided by the server. This design flaw enables a form of path traversal (CWE-22), rated at CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), allowing files to be written outside the intended target directory under specific conditions.

A remote attacker can exploit this by hosting a malicious comic strip on a website that users might direct Dosage to download from, or via a man-in-the-middle (MitM) attack if the comic is served over HTTP. Exploitation requires user interaction, as the victim must run Dosage to download from the attacker's controlled source. Successful exploitation lets the attacker control the file extension via a manipulated Content-Type header, enabling arbitrary file writes outside the download directory if additional conditions (such as filesystem permissions) are met, potentially leading to high-impact confidentiality, integrity, and availability compromises on the victim's system.

The Dosage GitHub security advisory (GHSA-4vcx-3pj3-44m7) and the fixing commit (336a9684191604bc49eed7296b74bd582151181e) confirm the issue is resolved in version 3.2, which presumably strengthens filename construction to prevent Content-Type header abuse. Security practitioners should advise users to upgrade to Dosage 3.2 or later and avoid downloading from untrusted sources, especially over HTTP.

EU & UK References

Vulnerability details

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is…

more

properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-67963Shared CWE-22
CVE-2026-41203Shared CWE-22
CVE-2026-4351Shared CWE-22
CVE-2025-64075Shared CWE-22
CVE-2024-53537Shared CWE-22
CVE-2024-36512Shared CWE-22
CVE-2026-7214Shared CWE-22
CVE-2025-68862Shared CWE-22
CVE-2026-3666Shared CWE-22
CVE-2026-0655Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of untrusted inputs like HTTP Content-Type headers used in filename construction to prevent path traversal via manipulated extensions.

prevent

Mandates timely flaw remediation, such as upgrading Dosage to version 3.2 where the filename construction vulnerability is fixed.

prevent

Restricts and scans user-installed software like vulnerable Dosage versions prior to execution to block deployment of exploitable tools.

References