CNNVD-202510-2493 Information

Oct 17, 2025 cve

CNNVD ID

CNNVD-202510-2493

CVE-2025-11849

  • CNNVD Published: 2025-10-17

Description (Chinese)

Mammoth是Michael Williamson个人开发者的一个将Word文档转换为HTML的工具。 mammoth 0.3.25版本和1.11.0之前版本存在安全漏洞,该漏洞源于处理docx文件时缺少路径或文件类型验证,可能导致目录遍历攻击或资源过度消耗。

Description (English)

Mammoth is a tool for Michael Williamson’s personal developer to convert Word documents to HTML. There is a security loophole in the mammoth 0.3.25 and pre-1.11.0 versions, which stems from the lack of path or document type verification when processing docx files, which may result in a catalogue being attacked or overconsumption of resources.

Hazard Level

High

Vulnerability Type

其他

Affected Vendor

个人开发者

Published

2025-10-17

Last Modified

2026-02-24

References

https://security.snyk.io/vuln/SNYK-JS-MAMMOTH-13554470 https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10 https://security.snyk.io/vuln/SNYK-JAVA-ORGZWOBBLEMAMMOTH-13561969 https://security.snyk.io/vuln/SNYK-DOTNET-MAMMOTH-13561968 https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820 https://security.snyk.io/vuln/SNYK-PYTHON-MAMMOTH-13561967 https://access.redhat.com/security/cve/cve-2025-11849

Share on: