CVE-2022-41706 – spatie/browsershot

Package

Manager: composer
Name: spatie/browsershot
Vulnerable Version: >=0 <3.57.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00135 pctl0.33978

Details

Browsershot does not validate URL protocols passed to Browsershot URL method Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

Metadata

Created: 2022-11-25T18:30:25Z
Modified: 2025-04-29T15:39:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-8c2c-jxwj-jqgf/GHSA-8c2c-jxwj-jqgf.json
CWE IDs: ["CWE-20", "CWE-79"]
Alternative ID: GHSA-8c2c-jxwj-jqgf
Finding: F184
Auto approve: 1