CVE-2025-1022

Name of the Vulnerable Software and Affected Versions spatie/browsershot versions prior to 5.0.5

Description The issue is related to improper input validation in the setHtml function, which can be bypassed by omitting slashes in the file URI, such as file:../../../../etc/passwd. This is due to missing validations of user input that should block file URI schemes, like file:// and file:/, in the HTML content. The Browsershot::html() function invokes the vulnerable setHtml function.

Recommendations For spatie/browsershot versions prior to 5.0.5, consider updating to version 5.0.5 or later to resolve the issue. As a temporary workaround, consider validating user input to block file URI schemes in the HTML content to minimize the risk of exploitation. Restrict the use of the setHtml function until a patch is applied.