Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2025-48050
CVE-2025-48050:
Grafana vulnerability analysis and mitigation
Overview
CVE-2025-48050 affects DOMPurify through version 3.2.5 (before commit 6bc6d60). The vulnerability exists in scripts/server.js where the application does not ensure that a pathname is located under the current working directory. This issue was discovered and disclosed on May 15, 2025. Notably, the vulnerability is disputed by the supplier, who argues that the issue only exists in a development helper script that requires manual activation (NVD, Wiz).
Technical details
The vulnerability is classified as a Path Traversal issue (CWE-24) with a CVSS v3.1 base score of 7.5 (HIGH). The vulnerability vector string is CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:N, indicating network accessibility with high attack complexity, no privileges required, and no user interaction needed. The vulnerability allows for potential directory traversal through improper path validation in the server.js script (NVD, Snyk).
Impact
The vulnerability could potentially allow attackers to access files outside the intended directory through path manipulation. This could result in unauthorized access to sensitive information or arbitrary file deletion via crafted input. However, the impact is limited as the vulnerability only exists in a development helper script (Snyk).
Mitigation and workarounds
The vulnerability has been fixed in commit 6bc6d60 by implementing proper path validation. The fix includes normalizing the path using path.resolve, using fs.realpathSync to resolve symbolic links, and verifying that the resolved path starts with the intended root directory. If the resolved path does not start with the root directory, the request is rejected with a 403 Forbidden status code (GitHub Commit).
Community reactions
The vulnerability has generated significant discussion within the security community, with the DOMPurify maintainers strongly disputing its severity. The project maintainer has stated that this is not a vulnerability as it only affects a development helper script and was created without proper coordination. The CVE was later disputed by the supplier (GitHub PR).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management