2366724 – CVE-2025-48050 nextcloud: DOMPurify Path Traversal Vulnerability [epel-9]

Bug 2366724 - CVE-2025-48050 nextcloud: DOMPurify Path Traversal Vulnerability [epel-9]

Summary: CVE-2025-48050 nextcloud: DOMPurify Path Traversal Vulnerability [epel-9]

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	nextcloud
Sub Component:
Version:	epel9
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Andrew Bauer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:	{"flaws": ["860d65d8-8a5e-4848-8ebe-b...
Depends On:
Blocks:	CVE-2025-48050
TreeView+	depends on / blocked

Reported:	2025-05-16 04:51 UTC by Avinash Hanwate
Modified:	2025-05-26 15:38 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2025-05-26 15:38:35 UTC
Type:	---
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2025-05-16 04:51:54 UTC

More information about this security flaw is available in the following bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2366606

Disclaimer: Community trackers are created by Red Hat Product Security team on a best effort basis. Package maintainers are required to ascertain if the flaw indeed affects their package, before starting the update process.

Comment 1 Andrew Bauer 2025-05-26 15:38:35 UTC

The CVE associated with this bug was revoked. 

Please refer to the following:
https://github.com/cure53/DOMPurify/issues/1102
https://security.snyk.io/vuln/SNYK-JS-DOMPURIFY-10176060

Nextcloud 29 has reached EOL and upstream will consequently not provide future updates.
Their integrity checker hashes all files in the tarball, which complicates any attempt to patch the source during build.

Consequently, I will not update dompurify for Nextcloud 29 at this time, since this has been determined, from the link above, not to be a legitimate CVE.

Note You need to log in before you can comment on or make changes to this bug.