CVE-2025-64184: Dosage vulnerable to a Directory Traversal through crafted HTTP responses

November 4, 2025 (updated November 7, 2025)

When downloadinging comic images, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met).

References

github.com/advisories/GHSA-4vcx-3pj3-44m7
github.com/webcomics/dosage
github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e
github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7
nvd.nist.gov/vuln/detail/CVE-2025-64184

Code Behaviors & Features

Detect and mitigate CVE-2025-64184 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →