CVE-2022-41706: Browsershot does not validate URL protocols passed to Browsershot URL method

November 25, 2022 (updated April 29, 2025)

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate the URL protocol passed to the Browsershot::url method.

References

fluidattacks.com/advisories/eminem
github.com/advisories/GHSA-8c2c-jxwj-jqgf
github.com/spatie/browsershot
github.com/spatie/browsershot/commit/92cf16fc098211731f80d21687abeafbe2c457ad
nvd.nist.gov/vuln/detail/CVE-2022-41706

Code Behaviors & Features

Detect and mitigate CVE-2022-41706 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →