CVE-2024-47049: czim/file-handling vulnerable to SSRF and directory traversal
(updated )
The czim/file-handling package before 1.5.0 and 2.x before 2.3.0 (used with PHP Composer) does not properly validate URLs within makeFromUrl and makeFromAny, leading to SSRF, and to directory traversal for the reading of local files.
References
- github.com/advisories/GHSA-6rgh-r6j3-3223
- github.com/czim/file-handling
- github.com/czim/file-handling/blob/2.3.0/SECURITY.md
- github.com/czim/file-handling/commit/95dfda850536bf35e684619598b9d02f4c97680d
- github.com/czim/file-handling/commit/dcf879896efe3457f51af9c8eab9f70dfc709a99
- nvd.nist.gov/vuln/detail/CVE-2024-47049
Code Behaviors & Features
Detect and mitigate CVE-2024-47049 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →