| Name | CVE-2025-48050 |
| Description | In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier disputes the significance of this report because the "Uncontrolled data used in path expression" occurs "in a development helper script which starts a local web server if needed and must be manually started." |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|
| node-dompurify (PTS) | bookworm | 2.4.1+dfsg+~2.4.0-2+deb12u1 | vulnerable |
| bookworm (security) | 2.4.1+dfsg+~2.4.0-2 | vulnerable |
| forky, sid, trixie | 3.1.7+dfsg+~3.0.5-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| node-dompurify | source | (unstable) | (unfixed) | unimportant | | |
Notes
https://github.com/odaysec/advisory/blob/main/cure53/DOMPurify/writeup.md
https://github.com/cure53/DOMPurify/pull/1101
https://github.com/cure53/DOMPurify/commit/e9afd609397aa31b0747a766504f698fcb6ad0f7
Testserver (scripts/server.js) not installed into binary package