CVE-2025-54387
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-10-09
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unjs | ipx | to 1.3.2 (exc) |
| unjs | ipx | From 2.0.0 (inc) to 2.1.1 (exc) |
| unjs | ipx | From 3.0.0 (inc) to 3.1.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54387 is a path traversal vulnerability in the ipx image optimizer package. The vulnerability arises because the software checks if a file path is within allowed directories using a simple string prefix comparison without ensuring the allowed directory path ends with a path separator. This allows an attacker to craft file paths that appear to be inside an allowed directory but actually point outside it by exploiting similarly prefixed directory names (e.g., accessing files in 'public123' when only 'public' is allowed). This improper validation can lead to unauthorized access to files outside the intended directory. [1, 5]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access files outside the intended directory, potentially exposing sensitive or confidential information. Since the attack can be performed remotely without any privileges or user interaction, it poses a moderate risk. The impact includes unauthorized disclosure of files (confidentiality impact) and possible integrity issues if files outside the directory are accessed or manipulated. However, availability is not affected. [1, 5]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing if the ipx package improperly allows access to files outside the intended directory via crafted path inputs that exploit prefix similarities. For example, attempts to access files in directories with similar prefixes (e.g., accessing '../public123/file.png' when the allowed directory is 'public') should be blocked. You can test this by sending HTTP requests to the ipx service with such crafted paths and observing if unauthorized files are accessible or if a 403 Forbidden error with the status text 'IPX_FORBIDDEN_PATH' is returned. Specific commands depend on your environment, but a curl command example to test might be: curl -v 'http://your-ipx-server/path?file=../public123/test.png' and check the response status and body for forbidden access. Additionally, monitoring logs for 'IPX_FORBIDDEN_PATH' errors can help detect attempts to exploit this vulnerability. [1, 5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the ipx package to a fixed version where the vulnerability is patched. Specifically, upgrade to version 1.3.2 or later if using the 1.x series, 2.1.1 or later if using the 2.x series, or 3.1.1 or later if using the 3.x series. These versions include a fix that enforces strict directory boundary checks by ensuring the allowed directory path ends with a path separator and validating the requested file path properly. If upgrading immediately is not possible, implement strict input validation on file paths to ensure they cannot escape the intended directories, and monitor for suspicious access attempts returning 'IPX_FORBIDDEN_PATH' errors. [1, 2, 3, 4, 5]