CVE-2025-54387: 
JavaScript vulnerability analysis and mitigation

IPX, an image optimizer powered by sharp and svgo, has been identified with a path traversal vulnerability (CVE-2025-54387) discovered on August 4, 2025. The vulnerability affects versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0. The issue stems from improper path validation when checking whether a path is within allowed directories, particularly when the allowed directories do not end with a path separator (GitHub Advisory).

The vulnerability occurs due to the approach used to check whether a path is within allowed directories, which relies on a raw string prefix comparison. When the allowed directories do not end with a path separator, the check can be bypassed. This creates a path traversal vulnerability that could allow access to files outside the intended directory structure. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:L/SA:N (GitHub Advisory).

The vulnerability could allow attackers to access files outside the intended directory structure through path traversal. For example, if a directory is set to './public', an attacker could potentially access files in '../public123/test.png' due to the prefix matching bypass. This could lead to unauthorized access to sensitive files outside the restricted directory (GitHub Advisory).

The vulnerability has been fixed in versions 1.3.2, 2.1.1, and 3.1.1. The fix involves ensuring that directory paths end with a path separator before performing the prefix comparison check. Users are strongly recommended to upgrade to these patched versions: >= v1.3.2 < 2.0.0 || >= v2.1.1 < 3.0.0 || >= v3.1.1 (GitHub Advisory).