High severity8.2OSV Advisory· Published Feb 5, 2025· Updated Apr 29, 2026
CVE-2025-1022
CVE-2025-1022
Description
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(), which can be bypassed by omitting the slashes in the file URI (e.g., file:../../../../etc/passwd). This is due to missing validations of the user input that should be blocking file URI schemes (e.g., file:// and file:/) in the HTML content.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
spatie/browsershotPackagist | < 5.0.5 | 5.0.5 |
Affected products
1- Range: 0.1.0, 0.1.1, 0.1.2, …
Patches
3e32739745068validate url
3 files changed · +16 −1
src/Browsershot.php+5 −1 modified@@ -69,7 +69,7 @@ class Browsershot protected ImageManipulations $imageManipulations; protected array $unsafeProtocols = [ - 'file:,', + 'file:', 'file:/', 'file://', 'file:\\', @@ -268,6 +268,10 @@ public function setUrl(string $url): static { $url = trim($url); + if (filter_var($url, FILTER_VALIDATE_URL) === false ){ + throw FileUrlNotAllowed::urlCannotBeParsed($url); + } + foreach ($this->unsafeProtocols as $unsupportedProtocol) { if (str_starts_with(strtolower($url), $unsupportedProtocol)) { throw FileUrlNotAllowed::make();
src/Exceptions/FileUrlNotAllowed.php+5 −0 modified@@ -10,4 +10,9 @@ public static function make(): static { return new static('An URL is not allow to start with file:// or file:/'); } + + public static function urlCannotBeParsed(string $url): static + { + return new static("The given URL `{$url}` is not a valid URL"); + } }
tests/BrowsershotTest.php+6 −0 modified@@ -59,11 +59,17 @@ 'File://test', 'file:/test', 'file:\test', + 'file:', 'file:\\test', 'view-source', 'View-Source', ]); +it('will not allow a malformed file url with too many slashes', function () { + Browsershot::url('fil + e:///test'); +})->throws(FileUrlNotAllowed::class); + it('will not allow a file url that has leading spaces', function () { Browsershot::url(' file://test'); })->throws(FileUrlNotAllowed::class);
bcfd608b264fdisallow file:
1 file changed · +14 −11
src/Browsershot.php+14 −11 modified@@ -68,6 +68,15 @@ class Browsershot protected ImageManipulations $imageManipulations; + protected array $unsafeProtocols = [ + 'file:,', + 'file:/', + 'file://', + 'file:\\', + 'file:\\\\', + 'view-source', + ]; + public static function url(string $url): static { return (new static)->setUrl($url); @@ -259,15 +268,7 @@ public function setUrl(string $url): static { $url = trim($url); - $unsupportedProtocols = [ - 'file://', - 'file:/', - 'file:\\', - 'file:\\\\', - 'view-source', - ]; - - foreach ($unsupportedProtocols as $unsupportedProtocol) { + foreach ($this->unsafeProtocols as $unsupportedProtocol) { if (str_starts_with(strtolower($url), $unsupportedProtocol)) { throw FileUrlNotAllowed::make(); } @@ -301,8 +302,10 @@ public function setProxyServer(string $proxyServer): static public function setHtml(string $html): static { - if (str_contains(strtolower($html), 'file://') || str_contains(strtolower($html), 'file:/')) { - throw HtmlIsNotAllowedToContainFile::make(); + foreach ($this->unsafeProtocols as $protocol) { + if (str_contains(strtolower($html), $protocol)) { + throw HtmlIsNotAllowedToContainFile::make(); + } } $this->html = $html;
c0fa14c2386dVulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-j2gw-r24m-j2qwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-1022ghsaADVISORY
- gist.github.com/mrdgef/a820837c530e09e1dd725e013e0d4341nvdWEB
- github.com/spatie/browsershot/commit/bcfd608b264fab654bf78e199bdfbb03e9323eb7nvdWEB
- github.com/spatie/browsershot/commit/e3273974506865a24fbb5b65b534d8d4b8dfbf72nvdWEB
- security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496747nvdWEB
News mentions
0No linked articles in our index yet.