CVE-2025-54387

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/unjs/ipx/commit/81693ddbfc062cc922e4e2406e8427ab4e3ad214", "name": "https://github.com/unjs/ipx/commit/81693ddbfc062cc922e4e2406e8427ab4e3ad214", "tags": [], "refsource": ""}, {"url": "https://github.com/unjs/ipx/releases/tag/v1.3.2", "name": "https://github.com/unjs/ipx/releases/tag/v1.3.2", "tags": [], "refsource": ""}, {"url": "https://github.com/unjs/ipx/releases/tag/v2.1.1", "name": "https://github.com/unjs/ipx/releases/tag/v2.1.1", "tags": [], "refsource": ""}, {"url": "https://github.com/unjs/ipx/releases/tag/v3.1.1", "name": "https://github.com/unjs/ipx/releases/tag/v3.1.1", "tags": [], "refsource": ""}, {"url": "https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr", "name": "https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr", "tags": [], "refsource": ""}, {"url": "https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr", "name": "https://github.com/unjs/ipx/security/advisories/GHSA-mm3p-j368-7jcr", "tags": [], "refsource": ""}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "IPX is an image optimizer powered by sharp and svgo. In versions 1.3.1 and below, 2.0.0-0 through 2.1.0, and 3.0.0 through 3.1.0, the approach used to check whether a path is within allowed directories is vulnerable to path prefix bypass when the allowed directories do not end with a path separator. This occurs because the check relies on a raw string prefix comparison. This is fixed in versions 1.3.2, 2.1.1 and 3.1.1."}]}, "problemtype": {"problemtype_data": [{"description": []}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2025-54387", "ASSIGNER": "security-advisories@github.com"}}, "impact": {}, "publishedDate": "2025-08-05T01:15Z", "configurations": {"nodes": [], "CVE_data_version": "4.0"}, "lastModifiedDate": "2025-08-05T14:15Z"}