CVE-2025-64184
Published: 07 November 2025
Summary
CVE-2025-64184 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, ranked at the 39.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-64184 affects Dosage, an open-source comic strip downloader and archiver, in versions 3.1 and below. The vulnerability arises during the downloading of comic images, where target filenames are constructed from elements like the page URL, image URL, or page content. Although the basename is sanitized to remove directory-traversing characters, the file extension is directly derived from the HTTP Content-Type header provided by the server. This design flaw enables a form of path traversal (CWE-22), rated at CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), allowing files to be written outside the intended target directory under specific conditions.
A remote attacker can exploit this by hosting a malicious comic strip on a website that users might direct Dosage to download from, or via a man-in-the-middle (MitM) attack if the comic is served over HTTP. Exploitation requires user interaction, as the victim must run Dosage to download from the attacker's controlled source. Successful exploitation lets the attacker control the file extension via a manipulated Content-Type header, enabling arbitrary file writes outside the download directory if additional conditions (such as filesystem permissions) are met, potentially leading to high-impact confidentiality, integrity, and availability compromises on the victim's system.
The Dosage GitHub security advisory (GHSA-4vcx-3pj3-44m7) and the fixing commit (336a9684191604bc49eed7296b74bd582151181e) confirm the issue is resolved in version 3.2, which presumably strengthens filename construction to prevent Content-Type header abuse. Security practitioners should advise users to upgrade to Dosage 3.2 or later and avoid downloading from untrusted sources, especially over HTTP.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-37861
Vulnerability details
Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is…
more
properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation of untrusted inputs like HTTP Content-Type headers used in filename construction to prevent path traversal via manipulated extensions.
Mandates timely flaw remediation, such as upgrading Dosage to version 3.2 where the filename construction vulnerability is fixed.
Restricts and scans user-installed software like vulnerable Dosage versions prior to execution to block deployment of exploitable tools.