GHSA-5p98-wpc9-g498
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5p98-wpc9-g498
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5p98-wpc9-g498/GHSA-5p98-wpc9-g498.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5p98-wpc9-g498
- Published
- 2020-09-04T15:21:32Z
- Modified
- 2022-06-22T19:28:32Z
- Summary
- Server-Side Request Forgery in html-pdf-chrome
- Details
-
Recommendation
This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether.
Original Advisory
All versions of
html-pdf-chromeare vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as<iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment. - Database specific
{ "github_reviewed_at": "2020-08-31T18:55:39Z", "severity": "HIGH", "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "nvd_published_at": null }- References
Affected packages
npm / html-pdf-chrome
Package
- Name
- html-pdf-chrome
- View open source insights on deps.dev
- Purl
- pkg:npm/html-pdf-chrome