CVE-2025-46568
📋 TL;DR
CVE-2025-46568 is a Server-Side Request Forgery (SSRF) vulnerability in Stirling-PDF that allows attackers to read arbitrary files on the server through manipulated HTML tags. The vulnerability affects all users of Stirling-PDF versions before 0.45.0 who utilize the WeasyPrint HTML-to-PDF conversion feature.
💻 Affected Systems
- Stirling-PDF
📦 What is this software?
Stirling Pdf by Stirlingpdf
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise through reading sensitive files like SSH keys, database credentials, configuration files, and potentially escalating to remote code execution.
Likely Case
Exfiltration of sensitive configuration files, environment variables, and application secrets leading to data breach and potential lateral movement.
If Mitigated
Limited file access if proper network segmentation, file permissions, and input validation are in place, though sensitive files may still be exposed.
🎯 Exploit Status
Exploitation requires access to the HTML-to-PDF conversion feature but no authentication. Attack involves crafting malicious HTML with file:// or other URI schemes.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.45.0
Vendor Advisory: https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-998c-x8hx-737r
Restart Required: Yes
Instructions:
1. Backup current configuration and data. 2. Update Stirling-PDF to version 0.45.0 or later. 3. Restart the Stirling-PDF service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable WeasyPrint HTML-to-PDF feature
allTemporarily disable the vulnerable HTML-to-PDF conversion functionality until patching is possible.
Modify Stirling-PDF configuration to disable WeasyPrint integration
Implement network restrictions
allRestrict Stirling-PDF container/process network access to prevent SSRF to internal services.
Use firewall rules or container networking to limit outbound connections
🧯 If You Can't Patch
- Implement strict input validation and sanitization for HTML content processed by WeasyPrint
- Apply file system permissions to restrict Stirling-PDF service account access to sensitive directories
🔍 How to Verify
Check if Vulnerable:
Check Stirling-PDF version. If version is below 0.45.0 and WeasyPrint feature is enabled, system is vulnerable.Check Version:
Check Stirling-PDF web interface or container image tag for version informationVerify Fix Applied:
Verify Stirling-PDF version is 0.45.0 or higher and test that file:// URI schemes in HTML input no longer result in file reads.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns from Stirling-PDF process
- Multiple requests with file:// or other URI schemes in HTML content
- Errors related to file not found or permission denied for sensitive paths
Network Indicators:
- Outbound connections from Stirling-PDF to internal services not typically accessed
- Unusual traffic patterns during HTML-to-PDF conversions
SIEM Query:
source="stirling-pdf" AND (uri="file://" OR uri="http://localhost" OR uri="http://127.0.0.1")