CVE-2023-41330

Name of the Vulnerable Software and Affected Versions knplabs/knp-snappy versions prior to 1.4.3

Description The issue concerns a PHAR deserialization vulnerability in the knplabs/knp-snappy PHP library. This vulnerability allows an attacker to gain remote code execution by exploiting the lack of proper checking on the protocol before passing it into the file exists() function. If an attacker can upload files to the server, they can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects, leading to remote code execution. This is particularly concerning when snappy is used with frameworks that have documented POP chains, such as Laravel or Symfony. The vulnerability can be exploited if the user can control the output file from the generateFromHtml() function, which will invoke deserialization. The estimated number of potentially affected devices worldwide is not specified.

Recommendations For versions prior to 1.4.3, upgrade to version 1.4.3 or later to address the vulnerability. For users unable to upgrade, ensure that only trusted users may submit data to the AbstractGenerator->generate(...) function. As a temporary workaround, consider restricting access to the generateFromHtml() function to minimize the risk of exploitation. Avoid using the phar:// protocol in the filename parameter of the prepareOutput() function until the issue is resolved.