CVE-2025-1022: 
PHP vulnerability analysis and mitigation

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation in the setHtml function, invoked by Browsershot::html(). The vulnerability was discovered in December 2024 and publicly disclosed on February 5, 2025. The affected component is the HTML processing functionality in the Browsershot package, which is used for converting webpages to images or PDFs using headless Chrome (NVD, Snyk).

The vulnerability exists in the setHtml function where input validation can be bypassed by omitting the slashes in the file URI. While the function attempts to block file URI schemes (e.g., file:// and file:/), an attacker can circumvent this protection by using alternative file URI formats (e.g., file:../../../../etc/passwd). The vulnerability has received a CVSS v4.0 score of 8.8 (High) and a CVSS v3.1 score of 8.2 (High), indicating significant security impact (NVD, GitHub Commit).

The vulnerability allows attackers to perform arbitrary file reads on the system that utilizes Browsershot. This can lead to unauthorized access to sensitive files on the web server's file system, potentially exposing confidential information. The scope extends beyond the security boundaries managed by the Browsershot package (GitHub PoC).

The recommended mitigation is to upgrade spatie/browsershot to version 5.0.5 or higher. The fix includes improved input validation that checks for various forms of file URI schemes and implements proper URL parsing validation. The patch has been implemented through multiple commits that enhance the security checks for URL and HTML content (GitHub Commit).