spatie/browsershot CVE-2025-3192
HIGHSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Versions of the package spatie/browsershot from 0.0.0 are vulnerable to Server-side Request Forgery (SSRF) in the setUrl() function due to a missing restriction on user input, enabling attackers to access localhost and list all of its directories.
AnalysisAI
Server-Side Request Forgery in spatie/browsershot enables remote attackers to probe internal network infrastructure and enumerate localhost directories via the setUrl() function. All versions from 0.0.0 onwards are affected, creating broad exposure for PHP applications using this Puppeteer wrapper library. EPSS score of 0.29% (53rd percentile) suggests low automated scanning activity currently, and publicly available exploit code exists demonstrating the vulnerability.
Technical ContextAI
spatie/browsershot is a PHP package that provides a convenient wrapper around Google Puppeteer/Chromium to convert web pages to images or PDFs. The vulnerability resides in the setUrl() function which accepts arbitrary URLs without validating or restricting the destination. This is a classic CWE-918 Server-Side Request Forgery flaw where user-controlled input flows directly into a network request operation. The underlying Chromium instance, running server-side, acts as a proxy to fetch attacker-specified URLs, including internal addresses (localhost, 127.0.0.1, RFC1918 ranges) that should be inaccessible from the internet. The package's design assumes developers will sanitize URLs before passing to setUrl(), but the library itself provides no built-in SSRF defenses such as allowlists, protocol restrictions, or private IP blocking.
Affected ProductsAI
All versions of spatie/browsershot from 0.0.0 onwards are vulnerable according to the Snyk advisory SNYK-PHP-SPATIEBROWSERSHOT-8548015. This package is distributed via Composer for PHP projects and commonly used in Laravel and Symfony applications for PDF generation and web scraping. The CPE string is not provided in available data, but the affected ecosystem is clearly PHP/Composer. No specific version range upper bound has been published, suggesting either no patch exists yet or patch version has not been independently confirmed. Vendor advisory URL is not available in the provided references - only third-party security research from Snyk and a proof-of-concept demonstration.
RemediationAI
No vendor-released patch version has been independently confirmed at time of analysis. The Snyk advisory (https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8548015) should be monitored for patch availability. Until an official fix is released, implement strict input validation before passing URLs to setUrl(): create an allowlist of permitted domains and schemes (only https:// for external sites), reject all private IP ranges (127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16), block localhost and link-local addresses, and deny file://, gopher://, and other dangerous protocols. Consider wrapping browsershot calls in a validation layer that parses URLs with parse_url() and enforces domain restrictions. For high-security environments, run browsershot in an isolated network segment with egress filtering that blocks internal network access, though this adds infrastructure complexity and may break legitimate external URL fetching. If the application only needs to screenshot a fixed set of pages, eliminate user input entirely by hardcoding permitted URLs. Note that URL validation is complex (unicode bypasses, DNS rebinding, TOCTOU races) so defense-in-depth with network segmentation is recommended even with input filtering.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today