CVE-2025-64184 Overview
CVE-2025-64184 is a Path Traversal vulnerability in Dosage, a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header without adequate sanitization. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory when additional conditions are met.
Critical Impact
Remote attackers can exploit this vulnerability to write arbitrary files outside the intended download directory, potentially leading to code execution or system compromise when combined with other attack vectors.
Affected Products
- Dosage versions 3.1 and below
- Any system using Dosage to download comics over HTTP (vulnerable to MITM)
- Systems where downloaded comics interact with other file-based processes
Discovery Timeline
- 2025-11-07 - CVE CVE-2025-64184 published to NVD
- 2025-11-12 - Last updated in NVD database
Technical Details for CVE-2025-64184
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Path Traversal), allowing attackers to write files to arbitrary locations on the filesystem. The core issue lies in how Dosage processes the HTTP Content-Type header when determining the file extension for downloaded comic images.
The application correctly sanitizes the basename component of downloaded files, stripping out directory traversal sequences like ../. However, the file extension parsing logic trusts the Content-Type header from the remote server without applying the same sanitization. An attacker who can control this header—either by hosting a malicious comic server or by performing a Man-in-the-Middle attack on HTTP connections—can inject path traversal sequences into the file extension.
When additional conditions are met (such as having write permissions to sensitive directories or the application running with elevated privileges), this can allow writing arbitrary files outside the intended download directory.
Root Cause
The root cause of this vulnerability is insufficient input validation on the file extension derived from the HTTP Content-Type header. While Dosage developers implemented proper sanitization for the basename portion of file paths, the same defensive measures were not applied to the extension parsing logic. This represents an incomplete security boundary, where only part of the user-controlled input is validated.
The fix in version 3.2 addresses this by applying consistent sanitization to all components that form the final file path, ensuring directory traversal sequences cannot be injected through any input vector.
Attack Vector
The attack requires network access and user interaction (a user must initiate a download from a malicious or compromised comic source). The exploitation scenario involves:
- An attacker sets up a malicious comic server or intercepts HTTP traffic via MITM
- The attacker crafts a malicious Content-Type header containing path traversal sequences
- When Dosage downloads the comic image, it constructs the filename using the malicious extension
- The resulting file is written to an attacker-controlled location outside the download directory
The vulnerability manifests in the file extension parsing logic where the HTTP Content-Type header is processed. For technical implementation details, see the GitHub Security Advisory GHSA-4vcx-3pj3-44m7 and the fix commit.
Detection Methods for CVE-2025-64184
Indicators of Compromise
- Unexpected files appearing outside the Dosage download directory
- HTTP responses with unusual Content-Type headers containing path separators (/, \, ..)
- File system modifications in sensitive directories coinciding with Dosage execution
- Log entries showing file writes to paths outside the configured download location
Detection Strategies
- Monitor HTTP traffic for Content-Type headers containing directory traversal sequences like ../ or ..\
- Implement file integrity monitoring on sensitive directories to detect unexpected file creation
- Review Dosage download logs for anomalous file path patterns
- Use network intrusion detection rules to flag suspicious Content-Type headers in responses to known Dosage user agents
Monitoring Recommendations
- Enable file system auditing on systems running Dosage to track file creation events
- Implement egress filtering and SSL/TLS inspection to detect MITM attempts
- Deploy SentinelOne agents to monitor for suspicious file system activity indicative of path traversal exploitation
- Configure alerting for any file writes by Dosage processes outside their designated download directories
How to Mitigate CVE-2025-64184
Immediate Actions Required
- Upgrade Dosage to version 3.2 or later immediately
- Avoid downloading comics from untrusted sources until patched
- Ensure all comic downloads occur over HTTPS to prevent MITM attacks
- Run Dosage with minimal filesystem permissions to limit impact of potential exploitation
Patch Information
The vulnerability is fixed in Dosage version 3.2. The fix ensures that directory traversal sequences are properly stripped from all components used to construct file paths, including the file extension derived from the HTTP Content-Type header.
Review the official fix at the GitHub commit 336a9684 and consult the GitHub Security Advisory for additional details.
Workarounds
- Use HTTPS-only comic sources to prevent MITM exploitation scenarios
- Run Dosage in a sandboxed environment or container with restricted filesystem access
- Configure download directories with strict permissions that prevent writes outside the intended location
- Monitor and restrict outbound network connections from Dosage to known-good comic servers only
# Configuration example
# Ensure Dosage runs with restricted filesystem permissions
# Create a dedicated user with limited write access
sudo useradd -r -s /sbin/nologin dosage_user
mkdir -p /var/lib/dosage/downloads
chown dosage_user:dosage_user /var/lib/dosage/downloads
chmod 755 /var/lib/dosage/downloads
# Run Dosage as the restricted user
sudo -u dosage_user dosage --basepath /var/lib/dosage/downloads
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
