Miggo Logo
Miggo Vulnerability Database
CVE-2024-37169

CVE-2024-37169:
Arbitrary file read via Playwright's screenshot feature exploiting file wrapper

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-37169
GHSA ID
GHSA-665w-mwrr-77q3
EPSS Score
0.58284%
CWE
CWE-22
Published
6/5/2024
Updated
6/11/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
@jmondi/url-to-pngnpm< 2.0.32.0.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key points: 1) The zodStringUrl validation in schema.ts lacked protocol restrictions, allowing 'file://' URIs. 2) The middleware propagated these invalid URLs to Playwright. The commit fixed both by adding protocol validation in schema.ts and improving error messaging in the middleware. The tests added for file:// URLs confirm these were the attack vectors. Both components directly handled the untrusted input without proper sanitization pre-patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ll us*rs o* url-to-pn*. Pl**s* s** *ttps://*it*u*.*om/j*sonr*imon*i/url-to-pn*/issu*s/** ### P*t***s [v*.*.*](*ttps://*it*u*.*om/j*sonr*imon*i/url-to-pn*/r*l**s*s/t**/v*.*.*) r*quir*s input url to ** o* proto*ol `*ttp` or `*ttps` ###

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *) T** `zo*Strin*Url` v*li**tion in `s***m*.ts` l**k** proto*ol r*stri*tions, *llowin* '*il*://' URIs. *) T** mi**l*w*r* prop***t** t**s* inv*li* URLs to `Pl*ywri**t`. T** *ommit *ix** *ot* *y ***in* pro