CVE-2025-11849: 
JavaScript vulnerability analysis and mitigation

CVE-2025-11849 affects the Mammoth library (versions 0.3.25 to 1.11.0), which is used for converting Word documents to HTML. The vulnerability was discovered by Audun Wigum Arbo and was disclosed on October 14, 2025. The issue affects multiple implementations of Mammoth across different platforms including JavaScript, Python, Java, and .NET (Snyk JS, Snyk Python, Snyk Java, Snyk DotNet).

The vulnerability is a Directory Traversal issue (CWE-22) that occurs due to insufficient path and file type validation when processing docx files containing images with external links (r:link attribute instead of embedded r:embed). When processing such files, the library resolves the URI to a file path, reads the content, and includes it as a base64-encoded data URI in the HTML output. The vulnerability has received a CVSS v3.1 score of 9.3 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H (GitHub Gist).

The vulnerability has two primary impacts: 1) Information Disclosure - attackers can read arbitrary files accessible to the process running the Mammoth library, potentially exposing sensitive system files like /etc/passwd or configuration files, and 2) Denial of Service - attackers can cause excessive resource consumption by crafting docx files that link to special device files such as /dev/random or /dev/zero, potentially causing the process to hang indefinitely or crash (GitHub Gist).

The recommended mitigation is to upgrade to Mammoth version 1.11.0 or higher, which fixes the issue by disabling external file access by default. This fix has been implemented across all affected platforms including JavaScript, Python, Java, and .NET implementations (GitHub Commit).