High severity7.5NVD Advisory· Published Dec 18, 2024· Updated Apr 15, 2026
CVE-2024-21547
CVE-2024-21547
Description
Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker could read any file on the server by exploiting the normalization of \ into /.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spatie/browsershotPackagist | < 5.0.2 | 5.0.2 |
Patches
2dfc3635b83ddimprove detection of file urls
2 files changed · +12 −3
src/Browsershot.php+6 −2 modified@@ -259,8 +259,12 @@ public function setUrl(string $url): static { $url = trim($url); - if (str_starts_with(strtolower($url), 'file://') || str_starts_with(strtolower($url), 'file:/')) { - throw FileUrlNotAllowed::make(); + $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\']; + + foreach($unsupportedProtocols as $unsupportedProtocol) { + if (str_starts_with(strtolower($url), $unsupportedProtocol)) { + throw FileUrlNotAllowed::make(); + } } $this->url = $url;
tests/BrowsershotTest.php+6 −1 modified@@ -54,7 +54,12 @@ it('will not allow a file url', function () { Browsershot::url('file://test'); -})->throws(FileUrlNotAllowed::class); +})->throws(FileUrlNotAllowed::class)->with([ + 'file://test', + 'file:/test', + 'file:\test', + 'file:\\test', +]); it('will not allow a file url that has leading spaces', function () { Browsershot::url(' file://test');
8a1e3476a9c0Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v528-6rq9-h6gwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-21547ghsaADVISORY
- gist.github.com/chuajianshen/baa71db588cfc038fb5d65624a47be81nvdWEB
- github.com/spatie/browsershot/commit/dfc3635b83dd980e5c39f8f8c73e87723b99ca01nvdWEB
- security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8501858nvdWEB
News mentions
0No linked articles in our index yet.