CVE-2025-48050 is a high-severity path traversal vulnerability (CWE-24) affecting the DOMPurify project maintained by Cure53. The vulnerability exists in the scripts/server.js file in versions through 3.2.5 before commit 6bc6d60. The issue arises because the script does not properly validate that a given pathname is located under the current working directory. This lack of validation allows an attacker to use path traversal sequences such as '../filedir' to access files outside the intended directory scope. However, the supplier has disputed the significance of this vulnerability, noting that the affected script is a development helper that starts a local web server only if manually initiated, implying limited exposure in production environments. The CVSS v3.1 score is 7.5 (high), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), scope changed (S:C), high confidentiality impact (C:H), low integrity impact (I:L), and no availability impact (A:N). This means that an unauthenticated attacker can remotely exploit the vulnerability without user interaction, but the attack requires complex conditions and affects confidentiality primarily by potentially exposing sensitive files outside the working directory. The scope change indicates that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently in the wild, and no patches are linked yet. The vulnerability is specifically in a development helper script rather than the core DOMPurify library, which sanitizes HTML to prevent XSS attacks. Therefore, the risk is mostly limited to environments where this helper script is manually started and exposed to untrusted input over the network.

For European organizations, the direct impact of CVE-2025-48050 is likely limited due to the nature of the vulnerable component being a development helper script rather than a core production library. However, if development or staging environments expose this script to untrusted networks or users, attackers could exploit the path traversal to read sensitive files outside the intended directory. This could lead to leakage of source code, configuration files, credentials, or other sensitive data, potentially aiding further attacks. Confidentiality impact is high, but integrity and availability impacts are low. Organizations relying on DOMPurify for web content sanitization are not directly affected in their production environments unless they use this helper script inappropriately. The vulnerability could be more impactful in organizations with lax development environment security or where development tools are exposed beyond trusted networks. Given the increasing trend of remote development and cloud-based IDEs, inadvertent exposure of such helper scripts could increase risk. Overall, the threat is moderate for European enterprises but should be addressed to prevent potential data leakage in development contexts.

1. European organizations should ensure that the vulnerable scripts/server.js development helper script is never exposed to untrusted networks or users. It should be restricted to localhost or secured development environments only. 2. Implement strict access controls and network segmentation to isolate development and staging environments from production and public networks. 3. Monitor and audit usage of development helper scripts to detect any unauthorized execution or exposure. 4. Apply the patch or update DOMPurify to a version that includes the fix once available, even if the risk is considered low in production. 5. Educate developers about the risks of exposing development tools and scripts that can be exploited via path traversal or other vulnerabilities. 6. Use containerization or sandboxing for development environments to limit the impact of any potential exploitation. 7. Conduct regular security reviews of development tools and helper scripts to identify and remediate similar issues proactively.