CVE-2024-37169 Information
Description
@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright’s screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol http or https. No known workarounds are available aside from upgrading.
Reference
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
https://github.com/jasonraimondi/url-to-png/issues/47
https://github.com/jasonraimondi/url-to-png/issues/47
https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf
@jmondi/url-to-png
is
a
self-hosted
URL
to
PNG
utility.
Versions
prior
to
2.0.3
are
vulnerable
to
arbitrary
file
read
if
a
threat
actor
uses
the
Playright’s
screenshot
feature
to
exploit
the
file
wrapper.
Version
2.0.3
mitigates
this
issue
by
requiring
input
URLs
to
be
of
protocol
[***http***](http) or [***https.***](https.)
No
known
workarounds
are
available
aside
from
upgrading.