CVE-2024-1648

HIGH

electron-pdf 20.0.0 - Arbitrary Local File Read via Unvalidated HTML Content

Title source: llm

Description

electron-pdf version 20.0.0 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the HTML content entered by the user.

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://fluidattacks.com/advisories/drake

Product

https://www.npmjs.com/package/electron-pdf/

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 47.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

fraserxu/electron-pdf 20.0.0

npm/electron-pdf 0npm

Published Feb 20, 2024

Tracked Since Feb 18, 2026