Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
2 vulnerabilities by webcomics
CVE-2025-64184 (GCVE-0-2025-64184)
Vulnerability from nvd – Published: 2025-11-07 03:02 – Updated: 2025-11-07 18:02
VLAI
Title
Dosage vulnerable to Directory Traversal through crafted HTTP responses
Summary
Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/webcomics/dosage/security/advi… | x_refsource_CONFIRM |
| https://github.com/webcomics/dosage/commit/336a96… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:02:18.606724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:02:26.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dosage",
"vendor": "webcomics",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T03:02:41.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7"
},
{
"name": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e"
}
],
"source": {
"advisory": "GHSA-4vcx-3pj3-44m7",
"discovery": "UNKNOWN"
},
"title": "Dosage vulnerable to Directory Traversal through crafted HTTP responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64184",
"datePublished": "2025-11-07T03:02:41.838Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-07T18:02:26.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64184 (GCVE-0-2025-64184)
Vulnerability from cvelistv5 – Published: 2025-11-07 03:02 – Updated: 2025-11-07 18:02
VLAI
Title
Dosage vulnerable to Directory Traversal through crafted HTTP responses
Summary
Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.
Severity
8.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/webcomics/dosage/security/advi… | x_refsource_CONFIRM |
| https://github.com/webcomics/dosage/commit/336a96… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64184",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-07T18:02:18.606724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T18:02:26.896Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "dosage",
"vendor": "webcomics",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-07T03:02:41.838Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7"
},
{
"name": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e"
}
],
"source": {
"advisory": "GHSA-4vcx-3pj3-44m7",
"discovery": "UNKNOWN"
},
"title": "Dosage vulnerable to Directory Traversal through crafted HTTP responses"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64184",
"datePublished": "2025-11-07T03:02:41.838Z",
"dateReserved": "2025-10-28T21:07:16.440Z",
"dateUpdated": "2025-11-07T18:02:26.896Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}