Login Sign Up

CVE-2023-41330

9.8 CRITICAL
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in knplabs/knp-snappy allows remote code execution through PHAR deserialization when attackers can control the filename parameter in generateFromHtml(). The case-insensitive patch in version 1.4.2 can be bypassed using uppercase 'PHAR://'. PHP applications using this library with user-controlled input are affected.

💻 Affected Systems

Products:
  • knplabs/knp-snappy
Versions: Versions before 1.4.3
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP versions prior to 8.0 and ability for attackers to upload files or control filename parameters.

📦 What is this software?

Snappy by Knplabs

View all CVEs affecting Snappy →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing arbitrary code execution, file system access, and potential lateral movement within the network.

🟠

Likely Case

Remote code execution leading to data theft, backdoor installation, or service disruption.

🟢

If Mitigated

No impact if input validation prevents user-controlled filenames or if PHP 8+ is used.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user input control and file upload capability. The vulnerability is well-documented with public advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.4.3

Vendor Advisory: https://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjj

Restart Required: No

Instructions:

1. Update composer.json to require 'knplabs/knp-snappy: ^1.4.3'. 2. Run 'composer update knplabs/knp-snappy'. 3. Verify the update with 'composer show knplabs/knp-snappy'.

🔧 Temporary Workarounds

Input Validation

all

Implement strict validation on user-controlled filename parameters to prevent PHAR wrapper usage.

PHP Version Upgrade

all

Upgrade to PHP 8.0 or later where PHAR deserialization is disabled by default.

🧯 If You Can't Patch

  • Restrict user input to the generateFromHtml() function to trusted sources only.
  • Implement web application firewall rules to block requests containing PHAR wrapper patterns.

🔍 How to Verify

Check if Vulnerable:

Check composer.lock or run 'composer show knplabs/knp-snappy' to see if version is below 1.4.3.

Check Version:

composer show knplabs/knp-snappy | grep versions

Verify Fix Applied:

Confirm version is 1.4.3 or higher using 'composer show knplabs/knp-snappy'.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file generation requests with PHAR wrapper patterns
  • Exceptions from knp-snappy library

Network Indicators:

  • HTTP requests with PHAR:// or phar:// in parameters

SIEM Query:

source="web_logs" AND (phar:// OR PHAR://)

📊 Metadata

CVE ID: CVE-2023-41330
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-502
Published: September 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41330, you might also want to check these:

CVE-2023-46604 10.0

CVE-2023-46604 is a critical remote code execution vulnerability in Apache ActiveMQ's Java OpenWire ...

Same vulnerability type (CWE-502)
CVE-2023-49772 10.0

This vulnerability allows unauthenticated attackers to execute arbitrary PHP code through deserializ...

Same vulnerability type (CWE-502)
CVE-2024-25100 10.0

This vulnerability allows unauthenticated attackers to inject malicious PHP objects via deserializat...

Same vulnerability type (CWE-502)