CVE-2024-47049 – czim/file-handling

Package

Manager: composer
Name: czim/file-handling
Vulnerable Version: >=0 <1.5.0 || >=2.0.0 <2.3.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00211 pctl0.43646

Details

czim/file-handling vulnerable to SSRF and directory traversal The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.

Metadata

Created: 2024-09-17T15:31:23Z
Modified: 2025-03-19T15:39:58Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-6rgh-r6j3-3223/GHSA-6rgh-r6j3-3223.json
CWE IDs: ["CWE-22", "CWE-918"]
Alternative ID: GHSA-6rgh-r6j3-3223
Finding: F063
Auto approve: 1