CVE-2019-15138
Description
The html-pdf package 2.2.0 for Node.js allows arbitrary file read via an HTML file that uses XMLHttpRequest to access file:/// URLs.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The html-pdf package 2.2.0 for Node.js allows arbitrary file read via an HTML file that uses XMLHttpRequest to access file:/// URLs.
The html-pdf package version 2.2.0 for Node.js contains an arbitrary file read vulnerability. The bug arises from the package's handling of the localUrlAccess option, which controls whether PhantomJS is allowed to access local files. In this version, the option was incorrectly inverted, causing the --local-url-access=false flag to be applied only when localUrlAccess was set to true, and conversely, leaving local file access enabled by default when the option was not set [3].
An attacker can exploit this vulnerability by crafting an HTML file that uses XMLHttpRequest to access a file:/// URL, such as file:///etc/passwd. When this HTML is processed by a server or application using the vulnerable package to generate a PDF, the content of local files can be read and potentially included in the generated PDF output. No authentication is required if the application exposes a PDF generation endpoint to untrusted users [1][4].
The impact is a serious confidentiality breach: an attacker can read arbitrary files from the server's filesystem, including sensitive data like configuration files, application source code, or system files. This could lead to further compromise if credentials or secrets are disclosed [2].
As of the advisory, the vulnerability was fixed in a later commit by inverting the logic so that --local-url-access=false is applied by default, requiring explicit opt-in to enable local file access [3]. Users are strongly advised to upgrade to a patched version or migrate to an alternative library, as the html-pdf package is no longer maintained and relies on the deprecated PhantomJS [1].
- GitHub - marcbachmann/node-html-pdf: This repo isn't maintained anymore as phantomjs got dreprecated a long time ago. Please migrate to headless chrome/puppeteer.
- NVD - CVE-2019-15138
- Invert localUrlAccess to fix https://www.npmjs.com/advisories/1095 · marcbachmann/node-html-pdf@c12d697
- npm audit vulnerability
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
html-pdfnpm | < 3.0.1 | 3.0.1 |
Affected products
2- Node.js/html-pdf packagedescription
Patches
1c12d69777780Invert localUrlAccess to fix https://www.npmjs.com/advisories/1095
2 files changed · +5 −5
lib/pdf.js+1 −1 modified@@ -36,7 +36,7 @@ function PDF (html, options) { if (!this.options.phantomPath) this.options.phantomPath = phantomjs && phantomjs.path this.options.phantomArgs = this.options.phantomArgs || [] - if (this.options.localUrlAccess) this.options.phantomArgs.push('--local-url-access=false') + if (!this.options.localUrlAccess) this.options.phantomArgs.push('--local-url-access=false') assert(this.options.phantomPath, "html-pdf: Failed to load PhantomJS module. You have to set the path to the PhantomJS binary using 'options.phantomPath'") assert(typeof this.html === 'string' && this.html.length, "html-pdf: Can't create a pdf without an html string") this.options.timeout = parseInt(this.options.timeout, 10) || 30000
test/index.js+4 −4 modified@@ -229,29 +229,29 @@ test('load with cookies js', function (t) { }) }) -test('allows local file access with localUrlAccess=true', function (t) { +test('does not allow localUrlAccess by default', function (t) { t.plan(2) pdf.create(` <body>here is an iframe which receives the cookies <iframe src="file://${path.join(__dirname, 'multiple-pages.html')}" width="400" height="100"></iframe> </body> - `, {localUrlAccess: true}) + `) .toBuffer(function (error, buffer) { t.error(error) const count = buffer.toString().match(/\/Type \/Page\n/g).length t.assert(count === 1, 'Renders a page with 1 page as the content is missing') }) }) -test('does not allow localUrlAccess by default', function (t) { +test('allows local file access with localUrlAccess=true', function (t) { t.plan(2) pdf.create(` <body>here is an iframe which receives the cookies <iframe src="file://${path.join(__dirname, 'multiple-pages.html')}" width="400" height="100"></iframe> </body> - `) + `, {localUrlAccess: true}) .toBuffer(function (error, buffer) { t.error(error) const count = buffer.toString().match(/\/Type \/Page\n/g).length
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-x4w5-r546-x9qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15138ghsaADVISORY
- github.com/marcbachmann/node-html-pdf/commit/c12d6977778014139183c9f8da7579fd7ac65362ghsaWEB
- github.com/marcbachmann/node-html-pdf/issues/530ghsaWEB
- github.com/marcbachmann/node-html-pdf/issues/530ghsaWEB
- github.com/marcbachmann/node-html-pdf/releases/tag/v3.0.1ghsaWEB
- security.netapp.com/advisory/ntap-20191017-0005ghsaWEB
- security.netapp.com/advisory/ntap-20191017-0005/mitrex_refsource_CONFIRM
- www.npmjs.com/advisories/1095ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.