Primary

Context

Spatie Browsershot Server-Side Request Forgery Vulnerability

Vulnerability

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Spatie Browsershot package, specifically in versions 0.0.0 and later. The issue arises in the setUrl() function, where user input is not properly validated. This lack of restriction allows attackers to access localhost and enumerate its directories.

Impact

Exploitation of this vulnerability could lead to unauthorized access to local resources and information.

Reproduction

To reproduce this vulnerability, upload a script that utilizes the Spatie Browsershot package and calls the setUrl() function with a URL pointing to localhost. Once the script is executed, it will access the local server and list its directories, demonstrating the SSRF vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

0.6

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spatie Browsershot Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

spatie/browsershot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating