spatie/browsershot CVE-2025-1022
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (snyk) · only source for this CVE.
CVSS VectorVendor: snyk
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.
AnalysisAI
Information disclosure in spatie/browsershot (PHP library) allows remote unauthenticated attackers to read arbitrary local files through file URI scheme bypass in HTML rendering. Versions before 5.0.5 fail to validate file:// URI schemes in the setHtml function, enabling access to sensitive files like /etc/passwd via crafted file: URIs without slashes. Publicly available exploit code exists (EPSS 0.18%), patch confirmed in version 5.0.5 via vendor commits bcfd608 and e327397.
Technical ContextAI
Spatie/browsershot is a PHP package that uses Puppeteer/Chrome headless browser to convert HTML to PDF or images. The vulnerability exists in the setHtml function invoked by Browsershot::html() which accepts arbitrary HTML content. The flaw stems from insufficient input validation (CWE-20: Improper Input Validation) that attempts to block file URI schemes but only filters standard formats like file:// and file:/. The validation logic fails to detect malformed file URIs such as file:../../../../etc/passwd (omitting slashes after the colon), allowing the underlying Chrome/Puppeteer renderer to interpret these as valid file system references and access local files. This is a path traversal variant where the filtering mechanism can be bypassed through URI malformation rather than traditional directory traversal.
Affected ProductsAI
Spatie/browsershot package for PHP versions prior to 5.0.5 are vulnerable. The issue affects all deployments where the Browsershot::html() method processes untrusted HTML content. CPE designation not provided in NVD data. Vendor advisory available at https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747 with detailed technical analysis. GitHub repository confirms vulnerability in the setHtml function across all pre-patch versions.
RemediationAI
Upgrade spatie/browsershot to version 5.0.5 or later, which implements comprehensive file URI scheme validation via commits bcfd608b264fab654bf78e199bdfbb03e9323eb7 and e3273974506865a24fbb5b65b534d8d4b8dfbf72. For systems unable to upgrade immediately, implement application-layer input sanitization to reject any HTML content containing 'file:' strings before passing to Browsershot::html() - note this workaround may break legitimate use cases requiring file URI support and could be bypassed via encoding variations (URL encoding, Unicode normalization). Alternatively, restrict Browsershot usage to trusted internal content only and validate HTML sources through allowlisting rather than blocklisting approaches. Running the Chrome/Puppeteer process in a sandboxed container with read-only filesystem mounts limits file disclosure scope but adds operational complexity and may impact performance. Review application logs for suspicious HTML inputs containing file: patterns to identify potential exploitation attempts.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today