CVE-2025-1026
📋 TL;DR
CVE-2025-1026 is a local file inclusion vulnerability in spatie/browsershot PHP package versions before 5.0.5. Attackers can bypass URL validation in the setUrl method to read sensitive files on the server. This affects any application using vulnerable versions of the spatie/browsershot library.
💻 Affected Systems
- spatie/browsershot
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like configuration files, environment variables, SSH keys, or database credentials, potentially leading to full system takeover.
Likely Case
Unauthorized access to sensitive files containing application secrets, configuration data, or user information, leading to data breach or further exploitation.
If Mitigated
Limited impact with proper file permissions, web server restrictions, and input validation in place, potentially only exposing non-critical files.
🎯 Exploit Status
Exploitation requires the ability to control input to the setUrl method. The vulnerability bypasses previous validation fixes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.5
Vendor Advisory: https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72
Restart Required: No
Instructions:
1. Update composer.json to require "spatie/browsershot": "^5.0.5"
2. Run composer update spatie/browsershot
3. Verify the update completed successfully
4. Test that browsershot functionality still works as expected
🔧 Temporary Workarounds
Input Validation Wrapper
allImplement additional URL validation before passing input to browsershot's setUrl method
File Permission Restrictions
allRestrict web server permissions to prevent reading sensitive files even if LFI occurs
🧯 If You Can't Patch
- Implement strict input validation to reject any URLs containing file:// scheme or local file paths
- Restrict web server permissions and implement proper file system access controls
🔍 How to Verify
Check if Vulnerable:
Check composer.lock or run composer show spatie/browsershot to see installed versionCheck Version:
composer show spatie/browsershot | grep versionsVerify Fix Applied:
Verify version is 5.0.5 or higher and test that file:// URLs are properly rejected📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns
- Requests with file:// URLs or local paths in parameters
- Failed attempts to access restricted files
Network Indicators:
- HTTP requests containing file:// scheme in URL parameters
SIEM Query:
source="web_logs" AND (url="*file://*" OR parameters="*file://*")🔗 References
- https://gist.github.com/chuajianshen/6291920112fcf1543fa7b43862112be6
- https://gist.github.com/mrdgef/54a8783408220c67c1b859df38a52d65
- https://github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72
- https://github.com/spatie/browsershot/pull/908
- https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533024
