Search for packages
| purl | pkg:npm/mammoth@1.2.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-p137-ttxf-1fgc
Aliases: CVE-2025-11849 GHSA-rmjr-87wv-gf87 |
Mammoth is vulnerable to Directory Traversal Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-01T09:05:39.609139+00:00 | GitLab Importer | Affected by | VCID-p137-ttxf-1fgc | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/mammoth/CVE-2025-11849.yml | 38.6.0 |