VYPR
Get started
← All advisories
Critical severity9.3OSV Advisory· Published Oct 17, 2025· Updated Apr 29, 2026

CVE-2025-11849

CVE-2025-11849

Description

Versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth from 0.3.25 and before 1.11.0; versions of the package mammoth before 1.11.0; versions of the package org.zwobble.mammoth:mammoth before 1.11.0 are vulnerable to Directory Traversal due to the lack of path or file type validation when processing a docx file containing an image with an external link (r:link attribute instead of embedded r:embed). The library resolves the URI to a file path and after reading, the content is encoded as base64 and included in the HTML output as a data URI. An attacker can read arbitrary files on the system where the conversion is performed or cause an excessive resources consumption by crafting a docx file that links to special device files such as /dev/random or /dev/zero.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
mammothnpm
>= 0.3.25, < 1.11.01.11.0
org.zwobble.mammoth:mammothMaven
< 1.11.01.11.0
mammothPyPI
>= 0.3.25, < 1.11.01.11.0
MammothNuGet
< 1.11.01.11.0

Affected products

1

Patches

2
c54aaeb43a79

Disable external file access by default

https://github.com/mwilliamson/mammoth.jsMichael WilliamsonSep 19, 2025via ghsa
commit
4 files changed · +15 13
  • lib/options-reader.js+1 1 modified
    @@ -63,7 +63,7 @@ var defaultStyleMap = exports._defaultStyleMap = [
 ];
 
 var standardOptions = exports._standardOptions = {
-    externalFileAccess: true,
+    externalFileAccess: false,
     transformDocument: identity,
     includeDefaultStyleMap: true,
     includeEmbeddedStyleMap: true
  • NEWS+2 1 modified
    @@ -2,7 +2,8 @@
 
 * Ignore style definitions using a style ID that has already been used.
 
-* Support disabling external file accesses using the externalFileAccess option.
+* Disable external file accesses by default. External file access can be enabled
+  using the externalFileAccess option.
 
 * Handle numbering levels defined without an index.
  • README.md+6 5 modified
    @@ -377,9 +377,9 @@ Converts the source document to HTML.
      set `options.includeDefaultStyleMap` to `false`.
 
   * `externalFileAccess`: Source documents may reference files outside of the source document.
-    To disable access to any such external files during the conversion process,
-    set `options.externalFileAccess` to `false`.
-    This is highly recommended when converting untrusted user input.
+    Access to any such external files is disabled by default.
+    To enable access when converting trusted source documents,
+    set `options.externalFileAccess` to `true`.
 
   * `convertImage`: by default, images are converted to `<img>` elements with the source included inline in the `src` attribute.
     Set this option to an [image converter](#image-converters) to override the default behaviour.
@@ -541,8 +541,9 @@ For instance:
   and embed the HTML into your website,
   this may allow arbitrary files on the server to be read and exfiltrated.
 
-  To disable access to any such external files during the conversion process,
-  set `options.externalFileAccess` to `false`.
+  To avoid this issue, access to any such external files is disabled by default.
+  To enable access when converting trusted source documents,
+  set `options.externalFileAccess` to `true`.
 
 ### Document transforms
  • test/mammoth.tests.js+6 6 modified
    @@ -309,27 +309,27 @@ test('src of inline images can be changed using readAsBuffer()', function() {
     });
 });
 
-test('images stored outside of document are included in output', function() {
+test('when external file access is enabled then images stored outside of document are included in output', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
-    return mammoth.convertToHtml({path: docxPath}).then(function(result) {
+    return mammoth.convertToHtml({path: docxPath}, {externalFileAccess: true}).then(function(result) {
         assert.equal(result.value, '<p><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAoAAAAKCAIAAAACUFjqAAAAAXNSR0IArs4c6QAAAAlwSFlzAAAOvgAADr4B6kKxwAAAABNJREFUKFNj/M+ADzDhlWUYqdIAQSwBE8U+X40AAAAASUVORK5CYII=" /></p>');
         assert.deepEqual(result.messages, []);
     });
 });
 
-test('error if images stored outside of document are specified when passing file without path', function() {
+test('when external file access is enabled then error if images stored outside of document are specified when passing file without path', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
     var buffer = fs.readFileSync(docxPath);
-    return mammoth.convertToHtml({buffer: buffer}).then(function(result) {
+    return mammoth.convertToHtml({buffer: buffer}, {externalFileAccess: true}).then(function(result) {
         assert.equal(result.value, '');
         assert.equal(result.messages[0].message, "could not find external image 'tiny-picture.png', path of input document is unknown");
         assert.equal(result.messages[0].type, "error");
     });
 });
 
-test('error if images stored outside of document are specified when external file access is disabled', function() {
+test('given external file access is disabled by default then error if images stored outside of document are specified', function() {
     var docxPath = path.join(__dirname, "test-data/external-picture.docx");
-    return mammoth.convertToHtml({path: docxPath}, {externalFileAccess: false}).then(function(result) {
+    return mammoth.convertToHtml({path: docxPath}).then(function(result) {
         assert.equal(result.value, '');
         assert.equal(result.messages[0].message, "could not read external image 'tiny-picture.png', external file access is disabled");
         assert.equal(result.messages[0].type, "error");
3261fbb689a2
https://github.com/mwilliamson/mammoth.jsvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.