logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-39919 @jmondi/url-to-png

Package

Manager: npm
Name: @jmondi/url-to-png
Vulnerable Version: >=0 <2.1.2

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N

EPSS: 0.00066 pctl0.20909

Details

@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages) ### Summary The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an `ALLOW_LIST` where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed. The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally. Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.) This is marked as a `LOW` since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :) ### PoC Have a service like so running locally: ```js const http = require("http") const server = http.createServer((req, res) => { console.log("Received headers:", req.headers) res.writeHead(200, { "Content-Type": "text/plain" }) res.end("Something private! But Hello from Server 2 :)") }) server.listen(3001, () => { console.log("Server two running on http://localhost:3001") }) ``` Run the package in dev mode, `pnpm dev`. Feed these URLs: ``` http://localhost:3089/?url=http://[::]:3001&width=4000 http://localhost:3089/?url=http://localhost:3001&width=4000 http://localhost:3089/?url=http://127.0.01:3001&width=4000 ``` <img width="622" alt="image" src="https://github.com/jasonraimondi/url-to-png/assets/42532003/21f1c883-ba00-4a15-83b8-922484fa4c2b"> ### Impact Disclose internal web services?

Metadata

Created: 2024-07-15T17:47:00Z
Modified: 2024-11-18T16:26:52Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-342q-2mc2-5gmp/GHSA-342q-2mc2-5gmp.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-342q-2mc2-5gmp
Finding: F308
Auto approve: 1