CVE-2025-64184HIGH 8.8EPSS p30.3%

CVE-2025-64184CVE-2025-64184

Description

Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS0.39% probability of exploitation · percentile 30.3% · 2026-06-19T12:03:05Z
Published2025-11-07
Last modified2026-04-15

Underlying weaknesses· 1

CWE-22

References

  1. https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e
  2. https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-69621
CVE
CVE-2025-9113
CVE
CVE-2025-65473
CVE
CVE-2025-65474
CVE
CVE-2025-55454
CVE
CVE-2025-5831
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.