PT-2025-4136 · Spatie · Spatie/Browsershot

Chua Jian Shen

Published

2025-02-05

Updated

2025-02-10

CVE-2025-1026

CVSS v3.1

8.6

High

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions spatie/browsershot versions prior to 5.0.5

Description The issue is related to improper URL validation through the setUrl method, resulting in a Local File Inclusion that allows attackers to read sensitive files. This is a bypass of a previous fix.

Recommendations For versions prior to 5.0.5, update to version 5.0.5 or later to resolve the issue. As a temporary workaround, consider restricting the use of the setUrl method to minimize the risk of exploitation.

Fix

Path traversal

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-20

Related Identifiers

CVE-2025-1026

GHSA-F2Q5-6MX7-Q9QQ

Affected Products

Spatie/Browsershot

PT-2025-4136 · Spatie · Spatie/Browsershot

CVE-2025-1026

Weakness Enumeration

Related Identifiers

Affected Products

References · 13