Description
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).
References (5)
Core 5
Core References
Various Sources
https://gist.github.com/mrdgef/54a8783408220c67c1b859df38a52d65
Issue Tracking
https://github.com/spatie/browsershot/pull/908
Third Party Advisory
https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533024
Scores
CVSS v3
8.6
EPSS
0.0016
EPSS Percentile
36.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-20
Status
published
Products (2)
n/a/spatie/browsershot
< 5.0.5
spatie/browsershot
0 - 5.0.5Packagist
Published
Feb 05, 2025
Tracked Since
Feb 18, 2026