CVE-2024-39918

Name of the Vulnerable Software and Affected Versions @jmondi/url-to-png versions prior to 2.1.2

Description The issue arises from the lack of sanitization of the ImageId input in the code, leading to a path traversal vulnerability. This allows an attacker to store an image in an arbitrary location that the server has permission to access. The vulnerability is different from traditional path traversal issues, as it enables storing images in any location. There are no known workarounds for this issue.

Recommendations For versions prior to 2.1.2, upgrade to version 2.1.2 to address the issue. As a temporary workaround, consider sanitizing the ImageId input by removing special characters from the parameters, such as using the slugify function for the params. For example, modify the imageId assignment to const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));. This will help prevent path traversal attacks until the official patch is applied.