CVE-2019-15138

Name of the Vulnerable Software and Affected Versions html-pdf versions 2.2.0 and earlier html-pdf (all versions)

Description The issue allows for arbitrary file read via an HTML file that uses XMLHttpRequest to access a file:/// URL. This is due to the package's failure to sanitize HTML input, enabling attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. For example, input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.

Recommendations For version 2.2.0, at the moment, there is no information about a newer version that contains a fix for this vulnerability. For all versions, consider restricting the execution of XHR requests in the HTML code to minimize the risk of exploitation. Avoid using the request.open() function with file:/// URLs in the affected API endpoint until the issue is resolved.