7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15138

GHSA ID

GHSA-x4w5-r546-x9qh

EPSS Score

0.54157%

CWE

CWE-73

Published

10/11/2019

Updated

2/1/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-15138

CVE-2019-15138: Arbitrary File Read in html-pdf

All versions of html-pdf are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as request.open("GET","file:///etc/passwd") will result in a PDF document with the contents of /etc/passwd.

Recommendation

No fix is currently available. There is a mitigation available in the provided reference.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-15138

GHSA ID

GHSA-x4w5-r546-x9qh

EPSS Score

0.54157%

CWE

CWE-73

Published

10/11/2019

Updated

2/1/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
html-pdf	npm	< 3.0.1	3.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The key vulnerability stems from how PhantomJS's local URL access was controlled. The commit c12d697 shows the fix inverted the logic for the --local-url-access=false PhantomJS flag. In vulnerable versions, the flag was only added when options.localUrlAccess was truthy, which: 1) Meant local URL access was ENABLED by default (no flag added) 2) Allowed file:// XHR requests when no explicit restriction was set. This matches the CWE-73 (path control) and CWE-200 (info exposure) mappings in the advisory. The test file changes confirm this behavior flip - pre-patch tests expected local access by default, post-patch tests required explicit opt-in.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `*tml-p**` *r* vuln*r**l* to *r*itr*ry *il* R***. T** p**k*** **ils to s*nitiz* t** *TML input, *llowin* *tt**k*rs to *x*iltr*t* s*rv*r *il*s *y supplyin* m*li*ious *TML *o**. X*R r*qu*sts in t** *TML *o** *r* *x**ut** *y t** s*rv*r.

Reasoning

T** k*y vuln*r**ility st*ms *rom *ow P**ntomJS's lo**l URL ****ss w*s *ontroll**. T** *ommit `*******` s*ows t** *ix inv*rt** t** lo*i* *or t** --lo**l-url-****ss=**ls* P**ntomJS *l**. In vuln*r**l* v*rsions, t** *l** w*s only ***** w**n `options.lo*

7.5

Basic Information

Concerned about an active attack path?

CVE-2019-15138: Arbitrary File Read in html-pdf

Recommendation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI