Back to search
CVE-2025-54387
Published: Aug 5, 2025
Modified: Aug 5, 2025
PUBLISHED
Description
IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. This is fixed in versions 1.3.2, 2.1.1 and 3.1.1.
| Vendor | Product | Versions |
|---|---|---|
unjs | ipx | affected < 1.3.2affected >= 2.0.0-0, < 2.1.1affected >= 3.0.0, < 3.1.1 |
Weaknesses (CWE)
References
https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr
x_refsource_CONFIRM
https://github.com/unjs/ipx/releases/tag/v1.3.2
x_refsource_MISC
https://github.com/unjs/ipx/releases/tag/v2.1.1
x_refsource_MISC
https://github.com/unjs/ipx/releases/tag/v3.1.1
x_refsource_MISC
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now