CVE-2019-15138: Arbitrary File Read in html-pdf
7.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.54157%
CWE
Published
10/11/2019
Updated
2/1/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
html-pdf | npm | < 3.0.1 | 3.0.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The key vulnerability stems from how PhantomJS's local URL access was controlled. The commit c12d697
shows the fix inverted the logic for the --local-url-access=false PhantomJS flag. In vulnerable versions, the flag was only added when options.localUrlAccess
was truthy, which: 1) Meant local URL access was ENABLED by default (no flag added) 2) Allowed file://
XHR requests when no explicit restriction was set. This matches the CWE-73
(path control) and CWE-200
(info exposure) mappings in the advisory. The test file
changes confirm this behavior flip - pre-patch tests expected local access by default, post-patch tests required explicit opt-in.