CVE-2024-39919: @jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)
(updated )
The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.
The package includes an ALLOW_LIST
where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.
The maintainer is of the opinion that the package should also have a denylist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.
Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)
This is marked as a LOW
since the maintainer is not sure if this is a vulnerability, but it’s still best to highlight it. :)
References
Detect and mitigate CVE-2024-39919 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →