CVE-2024-21549
📋 TL;DR
This vulnerability in the spatie/browsershot PHP package allows attackers to bypass URL validation and read arbitrary local files using the view-source:file:// scheme. It affects applications using vulnerable versions of the package to process user-controlled URLs. This is a bypass of the previous CVE-2024-21544 fix.
💻 Affected Systems
- spatie/browsershot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files, SSH keys, or database credentials, potentially leading to further attacks.
Likely Case
Information disclosure of sensitive local files, potentially exposing credentials, configuration data, or other sensitive information.
If Mitigated
Limited impact if proper input validation and URL sanitization are implemented at the application level.
🎯 Exploit Status
Exploitation is straightforward using the view-source:file:// scheme bypass. The vulnerability is publicly documented with examples.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.3
Vendor Advisory: https://github.com/spatie/browsershot/commit/f791ce0ae8dd99367dbfa30588ee31e1196e1728
Restart Required: No
Instructions:
1. Update your composer.json to require spatie/browsershot version 5.0.3 or higher. 2. Run 'composer update spatie/browsershot'. 3. Test your application functionality.
🔧 Temporary Workarounds
Input validation and sanitization
allImplement strict URL validation at the application level before passing to browsershot
Restrict file protocol access
allConfigure PHP or web server to block file:// protocol access
🧯 If You Can't Patch
- Implement strict input validation to reject any URLs containing file:// or view-source: schemes
- Restrict the browsershot functionality to only process URLs from trusted sources or whitelists
🔍 How to Verify
Check if Vulnerable:
Check your composer.lock file for spatie/browsershot version. If version is below 5.0.3, you are vulnerable.Check Version:
composer show spatie/browsershot | grep versionsVerify Fix Applied:
After updating, verify that composer.lock shows spatie/browsershot version 5.0.3 or higher.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns
- Requests containing view-source:file:// in URLs
- Errors from browsershot when processing malformed URLs
Network Indicators:
- Outbound requests to internal file paths
- Suspicious URL patterns in application logs
SIEM Query:
search 'view-source:file://' OR 'file://' in application logs where browsershot is used