Home > Vulnerability Database > CVE-2025-64184

Mend.io Vulnerability Database

CVE-2025-64184

Good to know:

Date: November 6, 2025

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-64184

Url: https://github.com/webcomics/dosage

Url: https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7

Url: https://www.mend.io/vulnerability-database/CVE-2025-64184

Severity Score

8.8

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version dosage - 3.2;https://github.com/webcomics/dosage.git - 3.2

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-64184

Good to know:

Date: November 6, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?