GMS-2020-291: Server-Side Request Forgery in html-pdf-chrome

September 4, 2020 (updated June 22, 2022)

All versions of html-pdf-chrome is vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as <iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment. ## Recommendation

No fix is currently available. Consider using an alternative package until a fix is made available.

References

github.com/advisories/GHSA-5p98-wpc9-g498
github.com/westy92/html-pdf-chrome/issues/249
www.npmjs.com/advisories/1339

Detect and mitigate GMS-2020-291 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →