High severity8.6OSV Advisory· Published Feb 5, 2025· Updated Apr 29, 2026

CVE-2025-1026

Description

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. Note: This is a bypass of the fix for CVE-2024-21549.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
spatie/browsershotPackagist	< 5.0.5	5.0.5

Affected products

Spatie/BrowsershotOSV
Range: 0.1.0, 0.1.1, 0.1.2, …

Patches

e32739745068

validate url

https://github.com/spatie/browsershotFreek Van der HertenDec 30, 2024via ghsa

commit

3 files changed · +16 −1

src/Browsershot.php+5 −1 modified

@@ -69,7 +69,7 @@ class Browsershot
     protected ImageManipulations $imageManipulations;
 
     protected array $unsafeProtocols = [
-        'file:,',
+        'file:',
         'file:/',
         'file://',
         'file:\\',
@@ -268,6 +268,10 @@ public function setUrl(string $url): static
     {
         $url = trim($url);
 
+        if (filter_var($url, FILTER_VALIDATE_URL) === false ){
+            throw FileUrlNotAllowed::urlCannotBeParsed($url);
+        }
+
         foreach ($this->unsafeProtocols as $unsupportedProtocol) {
             if (str_starts_with(strtolower($url), $unsupportedProtocol)) {
                 throw FileUrlNotAllowed::make();

src/Exceptions/FileUrlNotAllowed.php+5 −0 modified

@@ -10,4 +10,9 @@ public static function make(): static
     {
         return new static('An URL is not allow to start with file:// or file:/');
     }
+
+    public static function urlCannotBeParsed(string $url): static
+    {
+        return new static("The given URL `{$url}` is not a valid URL");
+    }
 }

tests/BrowsershotTest.php+6 −0 modified

@@ -59,11 +59,17 @@
     'File://test',
     'file:/test',
     'file:\test',
+    'file:',
     'file:\\test',
     'view-source',
     'View-Source',
 ]);
 
+it('will not allow a malformed file url with too many slashes', function () {
+    Browsershot::url('fil
+     e:///test');
+})->throws(FileUrlNotAllowed::class);
+
 it('will not allow a file url that has leading spaces', function () {
     Browsershot::url('    file://test');
 })->throws(FileUrlNotAllowed::class);

c0fa14c2386d

https://github.com/spatie/browsershotvia osv

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.559
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000