CVE-2022-43983: Browsershot vulnerable to Cross-Site Scripting (XSS)

November 25, 2022 (updated April 29, 2025)

Browsershot version 3.57.2 allows an external attacker to remotely obtain arbitrary local files. This is possible because the application does not validate that the HTML content passed to the Browsershot::html method does not contain URL’s that use the file:// protocol.

References

fluidattacks.com/advisories/khalid
github.com/advisories/GHSA-82h9-v8vh-mfpq
github.com/spatie/browsershot
github.com/spatie/browsershot/commit/92cf16fc098211731f80d21687abeafbe2c457ad
nvd.nist.gov/vuln/detail/CVE-2022-43983

Code Behaviors & Features

Detect and mitigate CVE-2022-43983 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →