VYPR
← All advisories
High severity8.6OSV Advisory· Published Dec 20, 2024· Updated Apr 29, 2026

CVE-2024-21549

CVE-2024-21549

Description

Versions of the package spatie/browsershot before 5.0.3 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method. An attacker can exploit this vulnerability by utilizing view-source:file://, which allows for arbitrary file reading on a local file. Note: This is a bypass of the fix for CVE-2024-21544.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
spatie/browsershotPackagist
< 5.0.35.0.3

Affected products

1

Patches

2
f791ce0ae8dd

do not allow view-source

https://github.com/spatie/browsershotFreek Van der HertenDec 16, 2024via ghsa
commit
2 files changed · +10 1
  • src/Browsershot.php+7 1 modified
    @@ -259,7 +259,13 @@ public function setUrl(string $url): static
     {
         $url = trim($url);
 
-        $unsupportedProtocols = ['file://', 'file:/', 'file:\\', 'file:\\\\'];
+        $unsupportedProtocols = [
+            'file://',
+            'file:/',
+            'file:\\',
+            'file:\\\\',
+            'view-source',
+        ];
 
         foreach ($unsupportedProtocols as $unsupportedProtocol) {
             if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
  • tests/BrowsershotTest.php+3 0 modified
    @@ -56,9 +56,12 @@
     Browsershot::url($url);
 })->throws(FileUrlNotAllowed::class)->with([
     'file://test',
+    'File://test',
     'file:/test',
     'file:\test',
     'file:\\test',
+    'view-source',
+    'View-Source'
 ]);
 
 it('will not allow a file url that has leading spaces', function () {
aae8a337f73f
https://github.com/spatie/browsershotvia osv
commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.