CVE-2024-21547: 
PHP vulnerability analysis and mitigation

CVE-2024-21547 affects the spatie/browsershot package versions before 5.0.2. This vulnerability is a Directory Traversal issue discovered in December 2024, where attackers can bypass file:// URI checks through browser URI normalization. The vulnerability was disclosed on December 13, 2024, and affects the package's URL handling functionality (Snyk Security, NVD Database).

The vulnerability exists due to insufficient URL validation in the package's setUrl function. The original implementation only checked for 'file://' and 'file:/' prefixes, but failed to account for backslash variants. Due to browser URI normalization, the characters '' are converted to '/', allowing attackers to bypass the security check. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) and a CVSS v4.0 score of 7.7 (HIGH), indicating significant security risk (Snyk Security).

The vulnerability allows attackers to read any file accessible by the server hosting Browsershot. This includes sensitive information such as API keys, source code, and other confidential files stored on the target server (GitHub POC).

The vulnerability has been patched in version 5.0.2 of spatie/browsershot. The fix includes improved detection of file URLs by checking for additional protocol variants including 'file:' and 'file:\'. Users should upgrade to version 5.0.2 or later to protect against this vulnerability (GitHub Commit).