CVE-2024-37169

Published
View on NVD ↗
CVSS v3
5.3
MEDIUM
CVSS v2
N/A
Affected
2
PROJECTS

Description

@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol `http` or `https`. No known workarounds are available aside from upgrading.

jasonraimondi/url-to-png
jasonraimondi/url-to-png
Selfhosted. URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB
GitHubGitHub
246
user-attachments/files
user-attachments/filesUNAVAILABLE
upload file to github
GitHubGitHub
3