Platform
php
Component
spatie/browsershot
Fixed in
5.0.2
5.0.2
CVE-2024-21547 is a Directory Traversal vulnerability discovered in the spatie/browsershot PHP package. This flaw allows attackers to potentially read arbitrary files on the server by exploiting improper URI normalization. Versions of the package prior to 5.0.2 are affected. A fix has been released in version 5.0.2.
The vulnerability stems from a flaw in how spatie/browsershot handles file URLs. Specifically, the package fails to properly sanitize file URLs, allowing an attacker to bypass a supposed file:// check. By crafting a malicious file URL containing escaped backslashes (e.g., file:\\/etc/passwd), an attacker can trick the package into accessing files outside of the intended directory. This could lead to the exposure of sensitive configuration files, source code, or other critical data stored on the server. The potential impact is significant, as an attacker could gain a deeper understanding of the application's architecture and potentially exploit other vulnerabilities.
This vulnerability was publicly disclosed on December 18, 2024. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog at the time of this writing. The ease of exploitation is relatively low due to the need for careful URL crafting, but the potential impact is high if successful.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 5.0.2 or later of the spatie/browsershot package. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious file URLs with escaped backslashes. Input validation should be implemented to strictly control the allowed file paths and prevent the use of relative paths or URL manipulation techniques. Additionally, review your application's file handling logic to ensure that all file access is properly validated and sanitized. After upgrading, confirm the fix by attempting to access a restricted file via a crafted URL (e.g., file:\\/etc/passwd) and verifying that access is denied.
Update the spatie/browsershot library to version 5.0.2 or higher. This will resolve the path traversal vulnerability. Run `composer update spatie/browsershot` to update to the secure version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-21547 is a Directory Traversal vulnerability affecting versions of spatie/browsershot before 5.0.2, allowing attackers to read arbitrary files on the server.
You are affected if you are using spatie/browsershot version 5.0.1 or earlier. Check your composer.json file to determine your version.
Upgrade to version 5.0.2 or later of the spatie/browsershot package using composer require spatie/browsershot:^5.0.2.
As of December 2024, there are no confirmed reports of active exploitation, but it is crucial to apply the fix promptly.
Refer to the spatie/browsershot GitHub repository for updates and advisories: https://github.com/spatie/browsershot
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.