CVE-2025-11849

CRITICAL

NPM Mammoth < 1.11.0 - Path Traversal

Title source: rule
STIX 2.1

Description

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

References (6)

Core 6

Scores

CVSS v3 9.3
EPSS 0.0027
EPSS Percentile 50.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-22
Status published
Products (7)
n/a/Mammoth < 1.11.0
n/a/mammoth 0.3.25 - 1.11.0
n/a/org.zwobble.mammoth:mammoth < 1.11.0
npm/mammoth 0.3.25 - 1.11.0npm
nuget/Mammoth 0 - 1.11.0NuGet
org.zwobble.mammoth/mammoth 0 - 1.11.0Maven
pypi/mammoth 0.3.25 - 1.11.0PyPI
Published Oct 17, 2025
Tracked Since Feb 18, 2026