electron-pdf 20.0.0 - Local File Read via Server Side XSS

Vulnerability

Overview

CVE-2024-1648 affects electron-pdf version 20.0.0. The application fails to validate the HTML content provided by the user. This lack of validation allows an external attacker to inject malicious HTML that, when processed by the application, triggers the retrieval of arbitrary local files from the server's filesystem [1][2].

Exploitation

The attack does not require authentication or user interaction; the attacker can send crafted HTML directly to electron-pdf. During parsing, the malicious HTML causes the application to read a local file and embed its contents into the generated PDF output. This is a classic Server-Side XSS (or SSXS-like) scenario, where the server-side component executes untrusted input without sanitization [2].

Impact

An attacker can remotely obtain any file that the electron-pdf process has read access to, potentially including sensitive configuration files, application code, or user data. The confidentiality impact is rated as high in the CVSS v3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), while integrity and availability are not directly affected [2].

Mitigation

As of the public disclosure date (2024-02-19), no patch is available for this vulnerability. The vendor was contacted but no fix has been released. System administrators should consider restricting access to the electron-pdf service, monitoring for malicious requests, or temporarily disabling the service until a patch is applied [2].