GHSA-5p98-wpc9-g498

Source

https://github.com/advisories/GHSA-5p98-wpc9-g498

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/09/GHSA-5p98-wpc9-g498/GHSA-5p98-wpc9-g498.json

Published

2020-09-04T15:21:32Z

Modified

2022-06-22T19:28:32Z

Details

Recommendation

This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether.

Original Advisory

All versions of html-pdf-chrome are vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as <iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment.

References

• https://github.com/westy92/html-pdf-chrome/issues/249
• https://github.com/westy92/html-pdf-chrome
• https://www.npmjs.com/advisories/1339