CVE-2025-1026
Published: 05 February 2025
Description
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).
Security Summary
CVE-2025-1026 is an Improper Input Validation vulnerability (CWE-20) affecting versions of the PHP package spatie/browsershot prior to 5.0.5. The issue stems from inadequate URL validation in the setUrl method, enabling a Local File Inclusion (LFI) attack that allows attackers to read sensitive files on the server. Published on 2025-02-05, this vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and represents a bypass of the mitigation for the related CVE-2024-21549.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a specially crafted URL to the setUrl method—such as one using file protocol schemes or path traversal techniques—an attacker can trick the package into loading and exposing contents of arbitrary local files, including sensitive configuration files, credentials, or system data, without impacting integrity or availability.
Mitigation involves upgrading to spatie/browsershot version 5.0.5 or later, where the fix is implemented via commit e3273974506865a24fbb5b65b534d8d4b8dfbf72 and pull request #908. Security advisories from Snyk detail the vulnerability and recommend validating all user-supplied inputs to the setUrl method, while proof-of-concept exploits are available in referenced GitHub gists.
Details
- CWE(s)