CVE-2025-1022
📋 TL;DR
This vulnerability in spatie/browsershot allows attackers to bypass file URI scheme validation by omitting slashes in file paths, potentially enabling local file inclusion attacks. It affects applications using vulnerable versions of the spatie/browsershot package to process untrusted HTML content. The vulnerability could allow reading sensitive files from the server filesystem.
💻 Affected Systems
- spatie/browsershot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could read sensitive system files like /etc/passwd, /etc/shadow, application configuration files, or database credentials, potentially leading to full system compromise.
Likely Case
Local file inclusion allowing attackers to read application configuration files, source code, or other sensitive data stored on the server.
If Mitigated
Limited impact if proper input validation and file access controls are implemented at the application level.
🎯 Exploit Status
Proof of concept available in GitHub gist. Exploitation requires ability to control HTML input passed to Browsershot::html().
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5
Vendor Advisory: https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7
Restart Required: No
Instructions:
1. Update spatie/browsershot to version 5.0.5 or later using composer: composer update spatie/browsershot. 2. Verify the update completed successfully. 3. Test that HTML processing functionality still works as expected.
🔧 Temporary Workarounds
Input validation workaround
allImplement custom validation to block file URI schemes in HTML input before passing to Browsershot
🧯 If You Can't Patch
- Implement strict input validation to reject HTML containing any file: URI schemes
- Restrict file system permissions for the web server user to limit accessible directories
🔍 How to Verify
Check if Vulnerable:
Check composer.json or run composer show spatie/browsershot to see if version is below 5.0.5Check Version:
composer show spatie/browsershot | grep versionsVerify Fix Applied:
Verify spatie/browsershot version is 5.0.5 or higher using composer show spatie/browsershot📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from web application
- Failed attempts to access system files
Network Indicators:
- HTTP requests containing file: URI schemes in HTML payloads
SIEM Query:
web_access_logs WHERE uri CONTAINS 'file:' OR payload CONTAINS 'file:'🔗 References
- https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341
- https://github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7
- https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72
- https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747
- https://gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341
