PT-2024-18956 · Spatie · Spatie/Browsershot

Muhammad Firdaus Amran

Published

2024-12-13

Updated

2025-10-01

CVE-2024-21544

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions spatie/browsershot versions prior to 5.0.1

Description The issue is related to improper input validation due to incorrect URL validation through the setUrl method. An attacker can exploit this by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion. This allows the attacker to read sensitive files on the server.

Recommendations For versions prior to 5.0.1, update to version 5.0.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setUrl method to minimize the risk of exploitation. Avoid using leading whitespace before the file:// protocol in URLs passed to the setUrl method until the issue is resolved.

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2024-21544

GHSA-G2R4-PHV7-5FGV

Affected Products

Spatie/Browsershot

PT-2024-18956 · Spatie · Spatie/Browsershot

CVE-2024-21544

Weakness Enumeration

Related Identifiers

Affected Products

References · 15