Miggo Logo

CVE-2019-15138: Arbitrary File Read in html-pdf

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.54157%
Published
10/11/2019
Updated
2/1/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
html-pdfnpm< 3.0.13.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key vulnerability stems from how PhantomJS's local URL access was controlled. The commit c12d697 shows the fix inverted the logic for the --local-url-access=false PhantomJS flag. In vulnerable versions, the flag was only added when options.localUrlAccess was truthy, which: 1) Meant local URL access was ENABLED by default (no flag added) 2) Allowed file:// XHR requests when no explicit restriction was set. This matches the CWE-73 (path control) and CWE-200 (info exposure) mappings in the advisory. The test file changes confirm this behavior flip - pre-patch tests expected local access by default, post-patch tests required explicit opt-in.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ll v*rsions o* `*tml-p**` *r* vuln*r**l* to *r*itr*ry *il* R***. T** p**k*** **ils to s*nitiz* t** *TML input, *llowin* *tt**k*rs to *x*iltr*t* s*rv*r *il*s *y supplyin* m*li*ious *TML *o**. X*R r*qu*sts in t** *TML *o** *r* *x**ut** *y t** s*rv*r.

Reasoning

T** k*y vuln*r**ility st*ms *rom *ow P**ntomJS's lo**l URL ****ss w*s *ontroll**. T** *ommit `*******` s*ows t** *ix inv*rt** t** lo*i* *or t** --lo**l-url-****ss=**ls* P**ntomJS *l**. In vuln*r**l* v*rsions, t** *l** w*s only ***** w**n `options.lo*