CVE-2025-54387 is a path traversal vulnerability identified in the unjs ipx image optimizer library, which leverages sharp and svgo for image processing. The vulnerability affects multiple versions of ipx: all versions below 1.3.2, versions from 2.0.0-0 up to but not including 2.1.1, and versions from 3.0.0 up to but not including 3.1.1. The root cause is an improper limitation of pathname to restricted directories (CWE-22). Specifically, the vulnerability arises because the method used to verify whether a requested file path resides within allowed directories relies on a raw string prefix comparison without ensuring the allowed directory paths end with a path separator. This allows an attacker to craft a path that bypasses the prefix check by exploiting path prefix similarities, effectively enabling access to files outside the intended directories. This can lead to unauthorized file access or disclosure. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS v4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges required, no user interaction, and limited confidentiality impact. The vulnerability has been fixed in versions 1.3.2, 2.1.1, and 3.1.1 of ipx. There are no known exploits in the wild as of the publication date (August 5, 2025). However, the presence of this vulnerability in widely used image optimization pipelines could pose a risk if left unpatched.

For European organizations, the impact of CVE-2025-54387 can be significant, particularly for those relying on ipx for image processing in web applications or content delivery systems. Exploitation could allow attackers to access sensitive files on the server, potentially exposing confidential data or configuration files. This could lead to information disclosure, aiding further attacks such as privilege escalation or lateral movement. Given that ipx is often integrated into web development stacks, vulnerable deployments could be exposed to remote attackers without authentication. This risk is heightened for organizations handling sensitive personal data under GDPR, as unauthorized data exposure could result in regulatory penalties and reputational damage. Additionally, compromised image processing services could be leveraged to serve malicious content or disrupt availability, impacting service integrity and user trust. Although the vulnerability does not directly allow code execution or denial of service, the unauthorized file access vector is a critical concern for data confidentiality and system security.

European organizations should prioritize upgrading ipx to the fixed versions: 1.3.2, 2.1.1, or 3.1.1 depending on their current version. If immediate upgrade is not feasible, implement strict input validation and sanitization on all file path inputs to ensure they cannot be manipulated to traverse directories. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block path traversal attempts targeting ipx endpoints. Restrict file system permissions for the ipx process to limit access only to necessary directories, minimizing the impact of any traversal attempts. Conduct thorough code reviews and penetration testing focusing on file path handling in image optimization workflows. Monitor logs for suspicious path access patterns indicative of exploitation attempts. Finally, maintain an inventory of all applications and services using ipx to ensure comprehensive patching and risk assessment.