QwikSec

Security Database

CVE

CWE

Training

CVE-2025-1026

Published: Feb 5, 2025

Modified: Feb 12, 2025

PUBLISHED

CVSS v3.1

8.6

HIGH

Description

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

Vendor	Product	Versions
n/a	spatie/browsershot	affected `0 - < 5.0.5`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

References

https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533024

https://gist.github.com/chuajianshen/6291920112fcf1543fa7b43862112be6

https://github.com/spatie/browsershot/pull/908

https://gist.github.com/mrdgef/54a8783408220c67c1b859df38a52d65

https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.