CVE-2024-21549: 
PHP vulnerability analysis and mitigation

CVE-2024-21549 affects versions of the spatie/browsershot package before 5.0.3. This vulnerability is related to Improper Input Validation in the URL validation mechanism through the setUrl method. The vulnerability was discovered on December 16, 2024, and was publicly disclosed on December 19, 2024 (Snyk Advisory).

The vulnerability stems from improper URL validation in the setUrl method of the browsershot package. The security flaw allows attackers to bypass the existing URL validation mechanisms by utilizing the 'view-source:file://' protocol, which was not properly blocked in the validation logic. This vulnerability is particularly notable as it represents a bypass of the fix for a previous vulnerability (CVE-2024-21544). The vulnerability has received a CVSS v3.1 base score of 8.6 (HIGH) and a CVSS v4.0 score of 7.7 (HIGH) (Snyk Advisory).

When successfully exploited, this vulnerability allows an attacker to perform arbitrary file reading on the local system. This means an attacker can access sensitive files on the server where the vulnerable application is running, potentially exposing confidential information (Snyk Advisory).

The vulnerability has been patched in version 5.0.3 of the spatie/browsershot package. The fix involves updating the URL validation logic to explicitly block the 'view-source' protocol in addition to the previously blocked file protocols. Users are strongly recommended to upgrade to version 5.0.3 or later to address this vulnerability (GitHub Commit).