CVE-2025-48050 Overview
A Path Traversal vulnerability has been identified in DOMPurify through version 3.2.5. The vulnerability exists in scripts/server.js, which fails to ensure that a pathname is located under the current working directory. This allows an attacker to potentially access files outside the intended directory structure through uncontrolled data used in path expressions.
Note: The vendor (Cure53) disputes the significance of this vulnerability, stating that it occurs in a development helper script which starts a local web server only when manually started, and is not part of the production library.
Critical Impact
Network-accessible path traversal vulnerability that could allow unauthorized read access to sensitive files on systems running the development server script, potentially leading to information disclosure.
Affected Products
- DOMPurify versions through 3.2.5
- DOMPurify versions prior to commit 6bc6d60
- Applications using the development server script (scripts/server.js)
Discovery Timeline
- May 15, 2025 - CVE-2025-48050 published to NVD
- May 16, 2025 - Last updated in NVD database
Technical Details for CVE-2025-48050
Vulnerability Analysis
This vulnerability is classified as CWE-24 (Path Traversal: '../filedir'), which occurs when external input is used to construct a pathname intended to identify a file or directory within a restricted parent directory, but the software fails to properly neutralize special elements that can cause the pathname to resolve to a location outside the restricted directory.
In the affected DOMPurify development server script, user-supplied URI paths are directly joined with the current working directory without proper validation. This allows attackers to craft malicious requests containing path traversal sequences (such as ../) to escape the intended directory structure and access arbitrary files on the system.
The vulnerability requires network access and has high attack complexity due to the need for the development server to be manually started. However, when exploited, it can result in high confidentiality impact through unauthorized file access and low integrity impact.
Root Cause
The root cause lies in the insecure path construction within scripts/server.js. The original code used path.join(process.cwd(), uri) to construct file paths from user-supplied URIs without validating that the resulting path remained within the current working directory boundary. The path.join() function in Node.js will resolve path segments including .. sequences, allowing directory traversal.
Attack Vector
The attack vector is network-based, requiring an attacker to send crafted HTTP requests to the development server. An attacker could submit requests containing path traversal sequences to access files outside the web root directory:
- Attacker identifies a running DOMPurify development server instance
- Attacker crafts a malicious request with path traversal sequences (e.g., /../../../etc/passwd)
- The vulnerable path.join() resolves the traversal sequence
- Server returns contents of files outside the intended directory
// Vulnerable code (before patch)
if (uri === '/test/') {
uri = '/test/index.html';
}
filename = path.join(process.cwd(), uri);
// Patched code (after fix)
if (uri === '/test/') {
uri = '/test/index.html';
}
filename = fs.realpathSync(path.resolve(process.cwd(), uri));
if (!filename.startsWith(process.cwd())) {
res.writeHead(403, { 'Content-Type': 'text/plain' });
res.end('403 Forbidden\n');
return;
}
Source: GitHub Commit Update
Detection Methods for CVE-2025-48050
Indicators of Compromise
- HTTP requests containing path traversal sequences (../, ..%2f, %2e%2e/) targeting a DOMPurify development server
- Unusual file access patterns in server logs showing requests for files outside the web root
- Access attempts targeting sensitive system files like /etc/passwd, configuration files, or source code
- Web server error logs showing 404 or 500 errors for unexpected file paths
Detection Strategies
- Monitor web server logs for URI patterns containing encoded or plain path traversal sequences
- Implement Web Application Firewall (WAF) rules to detect and block path traversal attempts
- Use runtime application security protection (RASP) to monitor file access operations
- Deploy network intrusion detection signatures for path traversal attack patterns
Monitoring Recommendations
- Enable verbose logging on development servers to capture full request URIs
- Implement file integrity monitoring on sensitive directories
- Set up alerts for access attempts to files outside the intended web root directory
- Monitor for unusual outbound data transfers that may indicate successful file exfiltration
How to Mitigate CVE-2025-48050
Immediate Actions Required
- Update DOMPurify to a version containing commit 6bc6d60 or later
- Ensure the development server script (scripts/server.js) is not running on production or publicly accessible systems
- Restrict network access to development servers using firewall rules or network segmentation
- Review web server logs for any indicators of exploitation attempts
Patch Information
The vulnerability has been addressed in GitHub Commit 6bc6d60. The fix implements proper path validation by using fs.realpathSync() to resolve the canonical path and then verifying that the resolved path starts with the current working directory. If the path attempts to escape the working directory, the server now returns a 403 Forbidden response.
Additional resources:
Workarounds
- Do not expose the DOMPurify development server to untrusted networks
- Restrict the development server to localhost binding only
- Implement reverse proxy with path validation in front of the development server
- Use network access controls to limit which hosts can connect to development servers
# Configuration example - Restrict development server to localhost only
# Modify server.js to bind only to localhost
# Replace: server.listen(port)
# With: server.listen(port, '127.0.0.1')
# Alternatively, use iptables to restrict access
iptables -A INPUT -p tcp --dport 8080 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
