CVE-2025-54387: 
JavaScript vulnerability analysis and mitigation

IPX, an image optimizer powered by sharp and svgo, was found to contain a path traversal vulnerability (CVE-2025-54387) discovered in August 2025. The vulnerability affects versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0. The issue stems from improper path validation when checking whether a path is within allowed directories, specifically when the allowed directories do not end with a path separator (GitHub Advisory).

The vulnerability occurs due to the approach used to check whether a path is within allowed directories, which relies on a raw string prefix comparison. When directory paths don't end with a path separator, the validation can be bypassed. For example, if the allowed directory is set to './public', an attacker could access files in '../public123/test.png' because the path validation only checks if the path starts with the specified directory string without properly validating the complete path structure. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Moderate) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N (GitHub Advisory).

The vulnerability allows for path traversal attacks, potentially enabling attackers to access files outside the intended directory structure. This could lead to unauthorized access to sensitive files and information disclosure on the affected system. The CVSS metrics indicate a high subsequent system confidentiality impact and low integrity impact (GitHub Advisory).

The vulnerability has been patched in versions 1.3.2, 2.1.1, and 3.1.1. The fix involves ensuring that the directory path ends with a path separator (/) before performing the startsWith check. Users are advised to upgrade to these patched versions to protect against potential exploitation (GitHub Advisory, GitHub Commit).