High severity8.8NVD Advisory· Published May 5, 2024· Updated Apr 15, 2026
CVE-2024-34515
CVE-2024-34515
Description
image-optimizer before 1.7.3 allows PHAR deserialization, e.g., the phar:// protocol in arguments to file_exists().
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spatie/image-optimizerPackagist | < 1.7.3 | 1.7.3 |
Patches
2d4f0d09c447089847b55fbb4Merge pull request #211 from Sonicrrrr/main
2 files changed · +29 −5
src/Image.php+25 −1 modified@@ -7,10 +7,16 @@ class Image { protected $pathToImage = ''; + protected const ALLOWED_PROTOCOLS = ['file']; + protected const WINDOWS_LOCAL_FILENAME_REGEX = '/^[a-z]:(?:[\\\\\/]?(?:[\w\s!#()-]+|[\.]{1,2})+)*[\\\\\/]?/i'; public function __construct(string $pathToImage) { - if (! file_exists($pathToImage)) { + if (!$this->isProtocolAllowed($pathToImage)) { + throw new InvalidArgumentException(\sprintf('The output file scheme is not supported. Expected one of [\'%s\'].', \implode('\', \'', self::ALLOWED_PROTOCOLS))); + } + + if (!file_exists($pathToImage)) { throw new InvalidArgumentException("`{$pathToImage}` does not exist"); } @@ -33,4 +39,22 @@ public function extension(): string return strtolower($extension); } + protected function isProtocolAllowed($filename) + { + if (false === $parsedFilename = \parse_url($filename)) { + throw new InvalidArgumentException('The filename is not valid.'); + } + + $protocol = isset($parsedFilename['scheme']) ? \mb_strtolower($parsedFilename['scheme']) : 'file'; + + if ( + \PHP_OS_FAMILY === 'Windows' + && \strlen($protocol) === 1 + && \preg_match(self::WINDOWS_LOCAL_FILENAME_REGEX, $filename) + ) { + $protocol = 'file'; + } + + return \in_array($protocol, self::ALLOWED_PROTOCOLS, true); + } }
src/OptimizerChain.php+4 −4 modified@@ -64,13 +64,13 @@ public function useLogger(LoggerInterface $log) public function optimize(string $pathToImage, string $pathToOutput = null) { if ($pathToOutput) { - copy($pathToImage, $pathToOutput); - + $check = copy($pathToImage, $pathToOutput); + if($check == false){ + throw new InvalidArgumentException("Cannot copy file"); + } $pathToImage = $pathToOutput; } - $image = new Image($pathToImage); - $this->logger->info("Start optimizing {$pathToImage}"); foreach ($this->optimizers as $optimizer) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-6pjm-hmvf-h4rrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34515ghsaADVISORY
- github.com/spatie/image-optimizer/commit/89847b55fbb44b3bcde0283bff8cc5abb5e51b82ghsaWEB
- github.com/spatie/image-optimizer/compare/1.7.2...1.7.3nvdWEB
- github.com/spatie/image-optimizer/issues/210nvdWEB
- github.com/spatie/image-optimizer/pull/211nvdWEB
News mentions
0No linked articles in our index yet.