High severityNVD Advisory· Published Dec 17, 2018· Updated Aug 5, 2024
CVE-2017-18354
CVE-2017-18354
Description
Rendertron 1.0.0 allows remote attackers to read arbitrary files via a 'file://' URL, leading to Local File Inclusion.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Rendertron 1.0.0 allows remote attackers to read arbitrary files via a 'file://' URL, leading to Local File Inclusion.
Vulnerability
Rendertron 1.0.0, a headless Chrome rendering solution, does not properly validate the protocol of requested URLs. The official description notes that alternative protocols such as file:// are allowed, introducing a Local File Inclusion (LFI) vulnerability [1][3]. Affected versions include 1.0.0 and possibly earlier releases; the project has been deprecated and is no longer maintained [1].
Exploitation
A remote attacker with network access to the Rendertron HTTP server can send a request with a file:// URL (e.g., file:///etc/passwd). The server will render and serialise the local file content, returning it in the response. No authentication or special privileges are required beyond reachability of the service [1][3].
Impact
Successful exploitation allows an unauthenticated remote attacker to read arbitrary files on the server's filesystem, leading to information disclosure of sensitive data such as configuration files, credentials, or source code. The attacker gains the file contents as they would appear rendered by Headless Chrome, limited to text-based or parsable files [1][3].
Mitigation
Rendertron is deprecated and no longer actively maintained; no official patch has been released for this specific vulnerability [1]. Users should migrate away from Rendertron and adopt alternative rendering approaches, as the project itself recommends. A pull request (#88) was created to address the issue by adding input validation, but it was not merged into a release [4]. If continued use is unavoidable, restrict network access to the Rendertron instance and avoid exposing it to untrusted clients.
References
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rendertronnpm | < 1.1.0 | 1.1.0 |
Affected products
1Patches
18d70628c96aecopyright headers (#72)
20 files changed · +309 −0
middleware/src/middleware.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const request = require('request');
middleware/test/middleware-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const express = require('express');
src/cache.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const datastore = require('@google-cloud/datastore')();
src/index.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <!doctype html> <html lang="en"> <head>
src/main.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const assert = require('assert');
src/renderer.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const CDP = require('chrome-remote-interface');
test/app-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const request = require('supertest');
test/cache-test.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + 'use strict'; const test = require('ava');
test/resources/basic-script.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> var element = document.createElement('title'); element.textContent = 'document' + '-title';
test/resources/custom-element.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> class MyElement extends HTMLElement { constructor() {
test/resources/explicit-render-event.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> setTimeout(() => { document.body.textContent = 'async loaded';
test/resources/http-meta-status-code.html+15 −0 modified@@ -1 +1,16 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <meta name="render:status_code" content="400"> \ No newline at end of file
test/resources/http-meta-status-code-multiple.html+15 −0 modified@@ -1,2 +1,17 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <meta name="render:status_code" content="401"> <meta name="render:status_code" content="402"> \ No newline at end of file
test/resources/include-script.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="inject-element-after-load.js"></script> <link rel="import" href="custom-element.html"> <custom-element></custom-element>
test/resources/inject-element-after-load.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + window.onload = function() { var element = document.createElement('div'); element.textContent = 'injected' + 'Element';
test/resources/inject-element.js+16 −0 modified@@ -1,3 +1,19 @@ +/* + * Copyright 2017 Google Inc. All rights reserved. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not + * use this file except in compliance with the License. You may obtain a copy of + * the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations under + * the License. + */ + var element = document.createElement('div'); element.textContent = 'injectedElement'; document.body.appendChild(element); \ No newline at end of file
test/resources/script-after-load.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script> window.onload = function() { var script = document.createElement('script');
test/resources/shadow-dom-no-polyfill.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <my-element></my-element> <script> class MyElement extends HTMLElement {
test/resources/shadow-dom-polyfill-all.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="node_modules/@webcomponents/webcomponentsjs/webcomponents-lite.js"></script> <my-element></my-element> <script>
test/resources/shadow-dom-polyfill-loader.html+15 −0 modified@@ -1,3 +1,18 @@ +<!-- +Copyright 2017 Google Inc. All rights reserved. + +Licensed under the Apache License, Version 2.0 (the "License"); you may not +use this file except in compliance with the License. You may obtain a copy of +the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the +License for the specific language governing permissions and limitations under +the License. +--> <script src="node_modules/@webcomponents/webcomponentsjs/webcomponents-loader.js"></script> <my-element></my-element> <script>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-j87c-cj65-vmh5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-18354ghsaADVISORY
- bugs.chromium.org/p/chromium/issues/detailghsax_refsource_MISCWEB
- github.com/GoogleChrome/rendertron/commit/8d70628c96ae72eff6eebb451d26fc9ed6b58b0eghsax_refsource_MISCWEB
- github.com/GoogleChrome/rendertron/pull/88ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.