Bug 2366606 (CVE-2025-48050)

Summary:	CVE-2025-48050 DOMPurify: DOMPurify Path Traversal Vulnerability
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability-draft	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	aazores, abarbaro, adkhan, alcohan, anjoseph, aveerama, bbrownin, brking, caswilli, chfoley, cmah, cmiranda, dhanak, dsimansk, eaguilar, ebaron, eric.wittmann, fdeutsch, gparvin, gryan, gzaronik, haoli, hkataria, ibek, jajackso, janstey, jcammara, jchui, jhe, jhuff, jkoehler, jmitchel, jneedle, jprabhak, jrokos, jscholz, jwendell, kaycoth, kegrant, kingland, koliveir, kshier, ktsao, kverlaen, lchilton, lphiri, mabashia, manissin, matzew, mnovotny, nboldt, nipatil, njean, oramraz, owatkins, pahickey, pantinor, pbraun, pcongius, pjindal, porcelli, psrna, rcernich, relrod, rguimara, rhaigner, rkubis, sausingh, sdawley, sfeifer, sfroberg, shvarugh, simaishi, skontopo, smcdonal, smullick, stcannon, stirabos, swoodman, teagle, tfister, thason, thavo, wtam, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A flaw was found in DOMPurify. This vulnerability allows arbitrary file deletion via crafted input.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2366720, 2366721, 2366730, 2366733, 2366722, 2366723, 2366724, 2366725, 2366726, 2366727, 2366728, 2366729, 2366731, 2366732, 2366734, 2366735
Bug Blocks:

Description OSIDB Bzimport 2025-05-15 17:01:22 UTC

In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.