CVE-2025-11849
Directory Traversal vulnerability in mammoth (npm)
What is CVE-2025-11849 About?
This vulnerability is a Directory Traversal flaw in the 'mammoth' package, caused by insufficient validation of paths or file types within docx files. It allows attackers to read arbitrary files on the system or trigger resource exhaustion. Exploitation is relatively easy, requiring a specially crafted docx file.
Affected Software
- mammoth
- >0.3.25, <1.11.0
- >0.3.25, <1.11.0
- org.zwobble.mammoth:mammoth
- <1.11.0
- Mammoth
- <1.11.0
Technical Details
The 'mammoth' package, specifically in versions from 0.3.25 before 1.11.0, is vulnerable to Directory Traversal when processing docx files. The vulnerability arises because the library fails to validate paths or file types for images with external links (using the r:link attribute instead of r:embed). An attacker can craft a docx file containing an image where the r:link attribute points to an arbitrary file path on the system. When the library processes this docx file, it resolves the URI to a system file path, reads its content, encodes it as base64, and includes it in the HTML output as a data URI. This allows an attacker to read the content of sensitive files. Alternatively, an attacker can link to special device files like /dev/random or /dev/zero to cause excessive resource consumption and potentially a Denial of Service.
What is the Impact of CVE-2025-11849?
Successful exploitation may allow attackers to read arbitrary files from the system, potentially exposing sensitive data, or cause a denial of service due to excessive resource consumption.
What is the Exploitability of CVE-2025-11849?
Exploitation of this vulnerability involves crafting a malicious docx file. The complexity is low as it leverages a specific parsing flaw in the 'mammoth' library. No authentication or elevated privileges are required, as the vulnerability resides in the file processing logic. The attack is remote, as the crafted docx file can be delivered to a target system that uses the vulnerable library for conversion. The primary constraint is convincing the target to process the malicious docx file. The likelihood of exploitation increases if the application routinely processes untrusted docx files.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-11849?
About the Fix from Resolved Security
This patch introduces an explicit externalFileAccess option, which defaults to false, determining whether files referenced outside the DOCX archive can be accessed by the library. By disabling external file access unless explicitly enabled, it mitigates the risk of arbitrary file disclosure, thereby fixing information disclosure vulnerability CVE-2025-11849. Now, attempts to access external files when externalFileAccess is not set or set to false result in clear errors rather than unintended reads.
Available Upgrade Options
- mammoth
- >0.3.25, <1.11.0 → Upgrade to 1.11.0
- org.zwobble.mammoth:mammoth
- <1.11.0 → Upgrade to 1.11.0
- Mammoth
- <1.11.0 → Upgrade to 1.11.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.snyk.io/vuln/SNYK-DOTNET-MAMMOTH-13561968
- https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10
- https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820
- https://security.snyk.io/vuln/SNYK-DOTNET-MAMMOTH-13561968
- https://security.snyk.io/vuln/SNYK-JS-MAMMOTH-13554470
- https://security.snyk.io/vuln/SNYK-JAVA-ORGZWOBBLEMAMMOTH-13561969
- https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10
- https://github.com/mwilliamson/java-mammoth
- https://osv.dev/vulnerability/GHSA-rmjr-87wv-gf87
- https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820
What are Similar Vulnerabilities to CVE-2025-11849?
Similar Vulnerabilities: CVE-2023-49080 , CVE-2023-49081 , CVE-2023-40810 , CVE-2023-38435 , CVE-2023-38434
