pdf-creator-node@2.1.1

Vulnerabilities

1 via 1 paths

Dependencies

89

Source

npm

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

high severity

Arbitrary File Read

  • Vulnerable module: html-pdf
  • Introduced through: html-pdf@2.2.0

Detailed paths

  • Introduced through: pdf-creator-node@2.1.1 html-pdf@2.2.0
    Remediation: Upgrade to html-pdf@3.0.0.

Overview

html-pdf is a Html to pdf converter in nodejs.

Affected versions of this package are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.

Remediation

Upgrade html-pdf to version 3.0.0 or higher.

References