CVE-2024-37169
📋 TL;DR
This vulnerability in @jmondi/url-to-png allows attackers to read arbitrary files from the server by exploiting Playwright's screenshot feature with file wrapper URLs. It affects all self-hosted instances running versions before 2.0.3. The issue occurs because the utility accepted file:// URLs, enabling local file system access.
💻 Affected Systems
- @jmondi/url-to-png
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server file system compromise including sensitive configuration files, credentials, and application source code disclosure.
Likely Case
Unauthorized reading of sensitive files such as configuration files, environment variables, or application secrets stored on the server.
If Mitigated
Limited impact if proper network segmentation and file permissions are in place, though sensitive data could still be exposed.
🎯 Exploit Status
Detailed exploit documentation is available in the PDF attachment. The vulnerability requires no authentication and has simple exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.3
Vendor Advisory: https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
Restart Required: Yes
Instructions:
1. Stop the url-to-png service. 2. Update to version 2.0.3 using npm: 'npm update @jmondi/url-to-png'. 3. Restart the service.
🔧 Temporary Workarounds
No workarounds available
allThe vendor states no workarounds exist aside from upgrading to the patched version.
🧯 If You Can't Patch
- Isolate the vulnerable service in a restricted network segment with no access to sensitive files
- Implement strict file system permissions to limit what the application user can read
🔍 How to Verify
Check if Vulnerable:
Check package.json for @jmondi/url-to-png version. If version is less than 2.0.3, the system is vulnerable.Check Version:
npm list @jmondi/url-to-pngVerify Fix Applied:
Verify the version is 2.0.3 or higher and test that file:// URLs are rejected with appropriate error messages.📡 Detection & Monitoring
Log Indicators:
- Failed attempts to access file:// URLs
- Unusual file path patterns in URL parameters
- Error logs showing file protocol rejection
Network Indicators:
- HTTP requests containing file:// protocol in URL parameters
- Unusual file path patterns in incoming requests
SIEM Query:
source="url-to-png" AND (url="*file://*" OR error="*file protocol*" OR status=400 AND message="*invalid protocol*")🔗 References
- https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
- https://github.com/jasonraimondi/url-to-png/issues/47
- https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
- https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
- https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf
- https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7
- https://github.com/jasonraimondi/url-to-png/issues/47
- https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3
- https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3
- https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf
