Home > Vulnerability Database > CVE-2024-39918

Mend.io Vulnerability Database

CVE-2024-39918

Good to know:

Date: July 15, 2024

@jmondi/url-to-png is an open source URL to PNG utility featuring parallel rendering using Playwright for screenshots and with storage caching via Local, S3, or CouchDB. Input of the "ImageId" in the code is not sanitized and may lead to path traversal. This allows an attacker to store an image in an arbitrary location that the server has permission to access. This issue has been addressed in version 2.1.2 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Language: TYPE_SCRIPT

Severity Score

4.3

Related Resources (7)

Url: https://github.com/jasonraimondi/url-to-png

Url: https://github.com/jasonraimondi/url-to-png/blob/e43098e0af3a380ebc044e7f303a83933b94b434/src/middlewares/extract_query_params.ts#L75

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-39918

Url: https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-vvmv-wrvp-9gjr

Url: https://github.com/jasonraimondi/url-to-png/releases/tag/v2.1.2

Url: https://github.com/jasonraimondi/url-to-png/commit/e4eaeca6493b21cd515b582fd6c0af09ede54507

Url: https://www.mend.io/vulnerability-database/CVE-2024-39918

Severity Score

4.3

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

Top Fix

Upgrade Version

Upgrade to version @jmondi/url-to-png - 2.1.2

Learn More

CVSS v3.1

Base Score:	4.3
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2024-39918

Good to know:

Date: July 15, 2024

Language: TYPE_SCRIPT

Severity Score

Related Resources (7)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?