CVE-2024-21544

8.6 HIGH

Published: December 13, 2024 Modified: October 01, 2025

Description

Versions of the package spatie/browsershot before 5.0.1 are vulnerable to Improper Input Validation due to improper URL validation in the setUrl method. An attacker can exploit this vulnerability by using leading whitespace (%20) before the file:// protocol, resulting in Local File Inclusion, which allows the attacker to read sensitive files on the server.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://github.com/spatie/browsershot/blob/1e212b596c104138550ed4ef1b9977d8df570c67/src/Browsershot.php%23L258-L269

Source: report@snyk.io

https://github.com/spatie/browsershot/commit/fae8396641b961f62bd756920b14f01a4391296e

Source: report@snyk.io

https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8496745

Source: report@snyk.io

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

8.6 / 10.0

EPSS (Exploit Probability)

0.1%

18th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-20

Related CVEs

CVE-2025-69261 N/A

CVE-2025-69257 6.7

CVE-2025-69210 N/A

CVE-2025-66823 N/A

CVE-2025-50343 N/A