VYPR
← All advisories
High severity8.6OSV Advisory· Published Dec 13, 2024· Updated Apr 29, 2026

CVE-2024-21544

CVE-2024-21544

Description

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spatie/browsershotPackagist
< 5.0.15.0.1

Affected products

1

Patches

1
fae8396641b9

make sure urls with leading spaces are not accepted

https://github.com/spatie/browsershotFreek Van der HertenDec 11, 2024via ghsa
commit
4 files changed · +9 3
  • composer.json+2 2 modified
    @@ -29,10 +29,10 @@
         "ext-fileinfo": "*"
     },
     "require-dev": {
-        "pestphp/pest": "^1.20",
+        "pestphp/pest": "^3.0",
         "spatie/image": "^3.6",
         "spatie/pdf-to-text": "^1.52",
-        "spatie/phpunit-snapshot-assertions": "^4.2.3"
+        "spatie/phpunit-snapshot-assertions": "^4.2.3|^5.0"
     },
     "autoload": {
         "psr-4": {
  • .github/workflows/run-tests.yml+1 1 modified
    @@ -9,7 +9,7 @@ jobs:
             fail-fast: false
             matrix:
                 os: [ubuntu-latest]
-                php: [8.3, 8.2]
+                php: [8.4, 8.3, 8.2]
                 stability: [prefer-lowest, prefer-stable]
 
         name: P${{ matrix.php }} - ${{ matrix.stability }} - ${{ matrix.os }}
  • src/Browsershot.php+2 0 modified
    @@ -257,6 +257,8 @@ public function waitForSelector(string $selector, array $options = []): static
 
     public function setUrl(string $url): static
     {
+        $url = trim($url);
+
         if (str_starts_with(strtolower($url), 'file://') || str_starts_with(strtolower($url), 'file:/')) {
             throw FileUrlNotAllowed::make();
         }
  • tests/BrowsershotTest.php+4 0 modified
    @@ -56,6 +56,10 @@
     Browsershot::url('file://test');
 })->throws(FileUrlNotAllowed::class);
 
+it('will not allow a file url that has leading spaces', function () {
+    Browsershot::url('    file://test');
+})->throws(FileUrlNotAllowed::class);
+
 it('will not allow html to contain file://', function () {
     Browsershot::html('<h1><img src="file://" /></h1>');
 })->throws(HtmlIsNotAllowedToContainFile::class);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.