CVE-2020-7740

HIGH

Node-pdf-generator - SSRF

Title source: rule

Description

This affects all versions of package node-pdf-generator. Due to lack of user input validation and sanitization done to the content given to node-pdf-generator, it is possible for an attacker to craft a url that will be passed to an external server allowing an SSRF attack.

Exploits (1)

nomisec WORKING POC

by CS4239-U6 · poc

https://github.com/CS4239-U6/node-pdf-generator-ssrf

View Code ZIP pw:eip

References (2)

[Broken Link, Third Party Advisory] https://github.com/darrenhaken/node-pdf-generator/blob/master/index.js%23L29

[Third Party Advisory] https://snyk.io/vuln/SNYK-JS-NODEPDFGENERATOR-609636

Scores

CVSS v3 8.2

EPSS 0.0548

EPSS Percentile 90.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CWE

CWE-918 CWE-20

Status published

Products (2)

node-pdf-generator_project/node-pdf-generator

npm/node-pdf-generator 0npm

Published Oct 06, 2020

Tracked Since Feb 18, 2026