Skip to main content

spatie/browsershot CVE-2025-3192

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2025-04-04 report@snyk.io
7.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 29, 2026 - 01:19 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 29, 2026 - 01:11 vuln.today
cvss_changed
CVSS changed
Apr 29, 2026 - 01:11 NVD
8.8 (HIGH) 7.8 (HIGH)
Analysis Generated
Mar 28, 2026 - 18:35 vuln.today
CVE Published
Apr 04, 2025 - 05:15 nvd
HIGH 8.8

DescriptionCVE.org

Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.

AnalysisAI

Server-Side Request Forgery in spatie/browsershot enables remote attackers to probe internal network infrastructure and enumerate localhost directories via the setUrl() function. All versions from 0.0.0 onwards are affected, creating broad exposure for PHP applications using this Puppeteer wrapper library. EPSS score of 0.29% (53rd percentile) suggests low automated scanning activity currently, and publicly available exploit code exists demonstrating the vulnerability.

Technical ContextAI

spatie/browsershot is a PHP package that provides a convenient wrapper around Google Puppeteer/Chromium to convert web pages to images or PDFs. The vulnerability resides in the setUrl() function which accepts arbitrary URLs without validating or restricting the destination. This is a classic CWE-918 Server-Side Request Forgery flaw where user-controlled input flows directly into a network request operation. The underlying Chromium instance, running server-side, acts as a proxy to fetch attacker-specified URLs, including internal addresses (localhost, 127.0.0.1, RFC1918 ranges) that should be inaccessible from the internet. The package's design assumes developers will sanitize URLs before passing to setUrl(), but the library itself provides no built-in SSRF defenses such as allowlists, protocol restrictions, or private IP blocking.

Affected ProductsAI

All versions of spatie/browsershot from 0.0.0 onwards are vulnerable according to the Snyk advisory SNYK-PHP-SPATIEBROWSERSHOT-8548015. This package is distributed via Composer for PHP projects and commonly used in Laravel and Symfony applications for PDF generation and web scraping. The CPE string is not provided in available data, but the affected ecosystem is clearly PHP/Composer. No specific version range upper bound has been published, suggesting either no patch exists yet or patch version has not been independently confirmed. Vendor advisory URL is not available in the provided references - only third-party security research from Snyk and a proof-of-concept demonstration.

RemediationAI

No vendor-released patch version has been independently confirmed at time of analysis. The Snyk advisory (https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8548015) should be monitored for patch availability. Until an official fix is released, implement strict input validation before passing URLs to setUrl(): create an allowlist of permitted domains and schemes (only https:// for external sites), reject all private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16), block localhost and link-local addresses, and deny file://, gopher://, and other dangerous protocols. Consider wrapping browsershot calls in a validation layer that parses URLs with parse_url() and enforces domain restrictions. For high-security environments, run browsershot in an isolated network segment with egress filtering that blocks internal network access, though this adds infrastructure complexity and may break legitimate external URL fetching. If the application only needs to screenshot a fixed set of pages, eliminate user input entirely by hardcoding permitted URLs. Note that URL validation is complex (unicode bypasses, DNS rebinding, TOCTOU races) so defense-in-depth with network segmentation is recommended even with input filtering.

Share

CVE-2025-3192 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy