Bug 2366724

Summary: CVE-2025-48050 nextcloud: DOMPurify Path Traversal Vulnerability [epel-9]
Product: [Fedora] Fedora EPEL Reporter: Avinash Hanwate <ahanwate>
Component: nextcloudAssignee: Andrew Bauer <zonexpertconsulting>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: epel9CC: ichavero, zonexpertconsulting
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: {"flaws": ["860d65d8-8a5e-4848-8ebe-b19b60b4c0d7"]}
Fixed In Version: Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2025-05-26 15:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2366606    

Description Avinash Hanwate 2025-05-16 04:51:54 UTC 
More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2366606

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.
Comment 1 Andrew Bauer 2025-05-26 15:38:35 UTC 
The CVE associated with this bug was revoked. 

Please refer to the following:
https://github.com/cure53/DOMPurify/issues/1102
https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060

Nextcloud 29 has reached EOL and upstream will consequently not provide future updates.
Their integrity checker hashes all files in the tarball, which complicates any attempt to patch the source during build.

Consequently, I will not update dompurify for Nextcloud 29 at this time, since this has been determined, from the link above, not to be a legitimate CVE.