CVE-2025-11849
critical
CVSS v3
9.3
CVSS v4 NEW
5.4
VIR risk
9.3
Description
Mammoth is vulnerable to Directory Traversal
Predictions
Exploit likelihood
95%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| npm | mammoth | >=0.3.25,<1.11.0 | 1.11.0 |
| Maven | org.zwobble.mammoth:mammoth | <1.11.0 | 1.11.0 |
| PyPI | mammoth | >=0.3.25,<1.11.0 | 1.11.0 |
| NuGet | Mammoth | <1.11.0 | 1.11.0 |
References
- https://gist.github.com/AudunWA/4d690d9ae5efdafe7cf71d9c2ee90a10
- https://github.com/mwilliamson/mammoth.js/commit/c54aaeb43a7941317c1f3c119ffa92090f988820
- https://security.snyk.io/vuln/SNYK-DOTNET-MAMMOTH-13561968
- https://security.snyk.io/vuln/SNYK-JAVA-ORGZWOBBLEMAMMOTH-13561969
- https://security.snyk.io/vuln/SNYK-JS-MAMMOTH-13554470
- https://security.snyk.io/vuln/SNYK-PYTHON-MAMMOTH-13561967
- https://nvd.nist.gov/vuln/detail/CVE-2025-11849
- https://github.com/mwilliamson/java-mammoth
CWEs
CWE-22
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.