Description

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.

INFO

Published Date :

2025-02-05T05:00:15.399Z

Last Modified :

2025-03-16T13:16:06.494Z

Source :

snyk
AFFECTED PRODUCTS

The following products are affected by CVE-2025-1022 vulnerability.

Vendors Products
Spatie
  • Browsershot
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-1022.

URL Resource
https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341 cve-icon cve-icon cve-icon
https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7 cve-icon cve-icon
https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72 cve-icon cve-icon
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact