CVE-2024-39919

Name of the Vulnerable Software and Affected Versions @jmondi/url-to-png versions prior to 2.1.1

Description The issue concerns the ALLOW LIST in the @jmondi/url-to-png package, which permits capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] by default. If hosted on a server, users could capture screenshots of other web services running locally, potentially disclosing internal web services. This has been addressed with the addition of a blocklist in version 2.1.1.

Recommendations For versions prior to 2.1.1, upgrade to version 2.1.1 to resolve the issue. As a temporary workaround, consider restricting access to the ALLOW LIST to minimize the risk of exploitation. Avoid using the package to capture screenshots of internal web services until the issue is resolved. At the moment, there is no other information about additional mitigation measures.