CVE-2025-64184: 
Python vulnerability analysis and mitigation

Dosage, a comic strip downloader and archiver, was found to contain a directory traversal vulnerability (CVE-2025-64184) affecting versions 3.1 and below. The vulnerability was discovered and disclosed on November 4, 2025. The issue stems from how the application handles file extensions when downloading comic images, specifically in the way it processes the HTTP Content-Type header (GitHub Advisory).

The vulnerability exists in the ComicPage.connect function within dosagelib/comic.py. While the basename of downloaded files is properly sanitized against directory traversal characters, the file extension is derived directly from the HTTP Content-Type header without proper validation. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating network accessibility with low attack complexity and no privileges required (GitHub Advisory, NVD).

The vulnerability allows a remote attacker or a Man-in-the-Middle (particularly if the comic is served over HTTP) to write arbitrary files outside the intended target directory, potentially leading to system compromise through arbitrary file writes (GitHub Advisory).

The vulnerability has been fixed in Dosage version 3.2. The patch replaces the unsafe string manipulation with a call to mimetypes.guess_extension, providing a secure way to map MIME types to file extensions. The fix is described as small and self-contained, allowing distributors to potentially backport it to older versions (GitHub Commit).