Bug 2366606 (CVE-2025-48050) - CVE-2025-48050 DOMPurify: DOMPurify Path Traversal Vulnerability
Summary: CVE-2025-48050 DOMPurify: DOMPurify Path Traversal Vulnerability
Keywords:
Status: NEW
Alias: CVE-2025-48050
Product: Security Response
Classification: Other
Component: vulnerability-draft
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2366720 2366721 2366725 2366727 2366728 2366730 2366733 2366734 2366722 2366723 2366724 2366726 2366729 2366731 2366732 2366735
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-15 17:01 UTC by OSIDB Bzimport
Modified: 2025-06-17 08:27 UTC (History)
87 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-05-15 17:01:22 UTC 
In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory.
Note You need to log in before you can comment on or make changes to this bug.