CVE-2024-21544 | THREATINT

Description

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.

PUBLISHED Reserved 2023-12-22 | Published 2024-12-13 | Updated 2025-10-01 | Assigner snyk

HIGH: 7.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P

HIGH: 8.6CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P

Problem types

Improper Input Validation

Credits

Muhammad Firdaus Amran

References

security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745

github.com/...1b9977d8df570c67/src/Browsershot.php#L258-L269

github.com/...ommit/fae8396641b961f62bd756920b14f01a4391296e

cve.org (CVE-2024-21544)

nvd.nist.gov (CVE-2024-21544)

Download JSON