Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zNDJxLTJtYzItNWdtcM4AA95a
@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)
Summary
The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.
The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.
The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.
Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)
This is marked as a LOW since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :)
PoC
Have a service like so running locally:
const http = require("http")
const server = http.createServer((req, res) => {
console.log("Received headers:", req.headers)
res.writeHead(200, { "Content-Type": "text/plain" })
res.end("Something private! But Hello from Server 2 :)")
})
server.listen(3001, () => {
console.log("Server two running on http://localhost:3001")
})
Run the package in dev mode, pnpm dev. Feed these URLs:
http://localhost:3089/?url=http://[::]:3001&width=4000
http://localhost:3089/?url=http://localhost:3001&width=4000
http://localhost:3089/?url=http://127.0.01:3001&width=4000
Impact
Disclose internal web services?
Permalink: https://github.com/advisories/GHSA-342q-2mc2-5gmpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zNDJxLTJtYzItNWdtcM4AA95a
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 4 months ago
Updated: 5 days ago
CVSS Score: 3.7
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-342q-2mc2-5gmp, CVE-2024-39919
References:
- https://github.com/jasonraimondi/url-to-png/security/advisories/GHSA-342q-2mc2-5gmp
- https://github.com/jasonraimondi/url-to-png/commit/f62ff40403ffa1781459d6be8d97b8035888c00c
- https://nvd.nist.gov/vuln/detail/CVE-2024-39919
- https://github.com/advisories/GHSA-342q-2mc2-5gmp
Blast Radius: 1.0
Affected Packages
npm:@jmondi/url-to-png
Dependent packages: 0Dependent repositories: 0
Downloads: 1 last month
Affected Version Ranges: < 2.1.2
Fixed in: 2.1.2
All affected versions: 2.0.3, 2.1.0
All unaffected versions: 2.1.2