Home > Vulnerability Database > CVE-2024-37169

Mend.io Vulnerability Database

CVE-2024-37169

Date: June 10, 2024

@jmondi/url-to-png is a self-hosted URL to PNG utility. Versions prior to 2.0.3 are vulnerable to arbitrary file read if a threat actor uses the Playright's screenshot feature to exploit the file wrapper. Version 2.0.3 mitigates this issue by requiring input URLs to be of protocol "http" or "https". No known workarounds are available aside from upgrading.

Language: TYPE_SCRIPT

Severity Score

5.3

Related Resources (8)

Url: https://github.com/jasonraimondi/url-to-png

Url: https://github.com/jasonraimondi/url-to-png/commit/9336020c5e603323f5cf4a2ac3bb9a7735cf61f7

Url: https://github.com/jasonraimondi/url-to-png/issues/47

Url: https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-665w-mwrr-77q3

Url: https://github.com/jasonraimondi/url-to-png/releases/tag/v2.0.3

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-37169

Url: https://github.com/user-attachments/files/15536336/Arbitrary.File.Read.via.Playwright.s.Screenshot.Feature.Exploiting.File.Wrapper.pdf

Url: https://www.mend.io/vulnerability-database/CVE-2024-37169

Severity Score

5.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

CVSS v3.1

Base Score:	5.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-37169

Date: June 10, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (8)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?