CVSS v3
5.3 (Medium)
EPSS
0.04 % (16th)
Advisories
1
@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol http
or https
. No known workarounds are available aside from upgrading.
Weaknesses
- CWE-22
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- CNA
-
GitHub, Inc.
security-advisories@github.com - Published Date
-
2024-06-10 22:15:12
(6 weeks ago) - Updated Date
-
2024-06-11 13:54:12
(6 weeks ago)
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...
Loading...