Advisories for Npm/@Jmondi/Url-to-Png package

2024

@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)

The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service. The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default, …

@jmondi/url-to-png contains a Path Traversal vulnerability

When trying to add a BLOCK_LIST feature when the maintainer noticed they didn't sanitize the ImageId in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am …

Arbitrary file read via Playwright's screenshot feature exploiting file wrapper

All users of url-to-png. Please see https://github.com/jasonraimondi/url-to-png/issues/47