CVE-2025-64184

CVE-2025-64184 affects Dosage, an open-source comic strip downloader and archiver, in versions 3.1 and below. The vulnerability arises during the downloading of comic images, where target filenames are constructed from elements like the page URL, image URL, or page content. Although the basename is sanitized to remove directory-traversing characters, the file extension is directly derived from the HTTP Content-Type header provided by the server. This design flaw enables a form of path traversal (CWE-22), rated at CVSS 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), allowing files to be written outside the intended target directory under specific conditions.

A remote attacker can exploit this by hosting a malicious comic strip on a website that users might direct Dosage to download from, or via a man-in-the-middle (MitM) attack if the comic is served over HTTP. Exploitation requires user interaction, as the victim must run Dosage to download from the attacker's controlled source. Successful exploitation lets the attacker control the file extension via a manipulated Content-Type header, enabling arbitrary file writes outside the download directory if additional conditions (such as filesystem permissions) are met, potentially leading to high-impact confidentiality, integrity, and availability compromises on the victim's system.

The Dosage GitHub security advisory (GHSA-4vcx-3pj3-44m7) and the fixing commit (336a9684191604bc49eed7296b74bd582151181e) confirm the issue is resolved in version 3.2, which presumably strengthens filename construction to prevent Content-Type header abuse. Security practitioners should advise users to upgrade to Dosage 3.2 or later and avoid downloading from untrusted sources, especially over HTTP.