CVE-2024-39919 Information
Description
@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local S3 or CouchDB. The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default capturing screenshots of web services running on localhost 127.0.0.1 or the [::] is allowed. If someone hosts this project on a server users could then capture screenshots of other web services running locally. This issue has been addressed in version 2.1.1 with the addition of a blocklist. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Reference
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-342q-2mc2-5gmp
https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-342q-2mc2-5gmp
https://github.com/jasonraimondi/url-to-png/commit/f62ff40403ffa1781459d6be8d97b8035888c00c
https://github.com/jasonraimondi/url-to-png/commit/f62ff40403ffa1781459d6be8d97b8035888c00c
@jmondi/url-to-png
is
an
open
source
URL
to
PNG
utility
featuring
parallel
rendering
using
Playwright
for
screenshots
and
with
storage
caching
via
Local
S3
or
CouchDB.
The
package
includes
an
ALLOW_LIST
where
the
host
can
specify
which
services
the
user
is
permitted
to
capture
screenshots
of.
By
default
capturing
screenshots
of
web
services
running
on
localhost
127.0.0.1
or
the
[::]
is
allowed.
If
someone
hosts
this
project
on
a
server
users
could
then
capture
screenshots
of
other
web
services
running
locally.
This
issue
has
been
addressed
in
version
2.1.1
with
the
addition
of
a
blocklist.
Users
are
advised
to
upgrade.
There
are
no
known
workarounds
for
this
vulnerability.