Php Weasyprint
Monthly
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.
PhpWeasyPrint (pontedilana/php-weasyprint) prior to version 2.6.0 enables server-side request forgery and local file disclosure through its `attachment` option, which passes any URL-shaped value through PHP's `file_get_contents()` without restricting the URL scheme. Applications that expose the `attachment` option to user-controlled input allow an attacker to probe internal HTTP endpoints (including cloud instance metadata services) and read arbitrary local files by supplying schemes such as `file://` or `php://filter/...`, with exfiltrated content embedded directly into the generated PDF output. This is the same vulnerability class patched in KnpLabs/snappy (GHSA-c5fp-p67m-gq56); no public exploit or CISA KEV listing exists at time of analysis.
PHAR deserialization in PhpWeasyPrint versions prior to 2.6.0 allows remote code execution by bypassing the case-sensitive phar:// blacklist introduced for CVE-2023-28115 - because PHP stream wrappers are case-insensitive, schemes like PHAR:// or PhAr:// pass the check and reach file_exists() in prepareOutput(). When the library runs on PHP 7.4+ and an attacker can influence the output filename argument passed to generation methods, a crafted PHAR archive's metadata is unserialized via a gadget chain, yielding code execution. No CISA KEV listing and no public exploit identified at time of analysis for this specific CVE, although the equivalent upstream KnpLabs/snappy advisory (GHSA-92rv-4j2h-8mjj) ships a working phpggc-based PoC that is directly portable.
Arbitrary file deletion in PhpWeasyPrint prior to version 2.6.0 allows any code holding a reference to a generator instance to inject arbitrary filesystem paths into the public `AbstractGenerator::$temporaryFiles` array, which are then passed to `unlink()` without path-containment validation during script shutdown or object destruction. The vulnerability mirrors a previously disclosed pattern in the related KnpLabs/snappy library (GHSA-87qc-37cw-84h4), and is exploitable by malicious dependencies, plugin code, or any PHP code co-located in the same process with access to the generator object. No public exploit has been identified at time of analysis, and exploitation is substantially constrained by the requirement for high privileges and local code access.