Input Validation Flaw in Browsershot Affects Spatie Software
CVE-2025-1022

8.8HIGH

Key Information:

Vendor: Spatie
Status: Spatie/browsershot
Vendor: CVE Published:; 5 February 2025

What is CVE-2025-1022?

An improper input validation vulnerability exists in versions of the Browsershot package prior to 5.0.5. This flaw allows attackers to bypass security measures by omitting slashes in file URIs (e.g., file:../../../../etc/passwd) when invoking the setHtml function via Browsershot::html(). The vulnerability arises from insufficient validation of user inputs that should prevent file URI schemes such as file:// and file:/ from being processed in the HTML content, potentially enabling unauthorized access to sensitive files.

Affected Version(s)

spatie/browsershot 0 < 5.0.5

References

https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-...

https://github.com/spatie/browsershot/commit/bcfd608b264f...

https://github.com/spatie/browsershot/commit/e32739745068...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 5, 2025
Vulnerability Reserved
Feb 4, 2025

Credit

Ee Yang Tee