CVE-2025-11849 is a directory traversal vulnerability affecting the mammoth library, a tool used to convert DOCX files to HTML. The issue exists in versions up to 1.11.0 due to insufficient validation of the r:link attribute in DOCX image elements. Instead of embedded images (r:embed), the library processes external links by resolving the URI to a local file path. This allows an attacker to craft a malicious DOCX file containing image references to arbitrary files on the host system. When mammoth processes such a file, it reads the referenced file, encodes its content in base64, and embeds it in the HTML output. This can lead to unauthorized disclosure of sensitive files. Additionally, referencing special device files like /dev/random or /dev/zero can cause excessive resource consumption, potentially leading to denial of service. The vulnerability requires no privileges or authentication but does require user interaction to process the malicious DOCX file. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, user interaction needed, and high scope, with partial impact on confidentiality and availability. No known exploits have been reported yet, but the vulnerability poses a significant risk in environments that automatically process untrusted DOCX files.

For European organizations, the impact includes potential exposure of sensitive internal files if attackers can submit malicious DOCX files for processing. This is particularly critical for enterprises that automate document ingestion or conversion workflows using mammoth, such as content management systems, web applications, or document processing pipelines. Confidentiality breaches could expose intellectual property, personal data, or configuration files. Resource exhaustion attacks could disrupt services, causing denial of service and impacting availability. Given the medium severity, the risk is moderate but can escalate if combined with other vulnerabilities or used in targeted attacks. Organizations handling sensitive documents or operating in regulated sectors (finance, healthcare, government) face increased compliance and reputational risks if exploited.

1. Upgrade mammoth to version 1.11.0 or later where this vulnerability is fixed. 2. Implement strict validation and sanitization of DOCX files before processing, rejecting files with external image links or suspicious r:link attributes. 3. Run document conversion processes in isolated, sandboxed environments with minimal file system permissions to limit access to sensitive files. 4. Monitor and log document processing activities to detect anomalous file access patterns. 5. Employ rate limiting and resource usage controls to mitigate potential denial of service from resource exhaustion. 6. Educate users and administrators about the risks of processing untrusted DOCX files and enforce policies restricting document sources. 7. Consider using alternative libraries or tools with stronger security postures if mammoth is not essential.