CVE-2025-1026
Published: 05 February 2025
Summary
CVE-2025-1026 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Snyk (inferred from references). Its CVSS base score is 6.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-1026 is an Improper Input Validation vulnerability (CWE-20) affecting versions of the PHP package spatie/browsershot prior to 5.0.5. The issue stems from inadequate URL validation in the setUrl method, enabling a Local File Inclusion (LFI) attack that allows attackers to read sensitive files on the server. Published on 2025-02-05, this vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and represents a bypass of the mitigation for the related CVE-2024-21549.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a specially crafted URL to the setUrl method—such as one using file protocol schemes or path traversal techniques—an attacker can trick the package into loading and exposing contents of arbitrary local files, including sensitive configuration files, credentials, or system data, without impacting integrity or availability.
Mitigation involves upgrading to spatie/browsershot version 5.0.5 or later, where the fix is implemented via commit e3273974506865a24fbb5b65b534d8d4b8dfbf72 and pull request #908. Security advisories from Snyk detail the vulnerability and recommend validating all user-supplied inputs to the setUrl method, while proof-of-concept exploits are available in referenced GitHub gists.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0238
Vulnerability details
Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a…
more
bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated LFI via crafted input to public-facing PHP app directly enables T1190 exploitation and subsequent local file/credential reads via T1005/T1552.001.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates input validation mechanisms for URLs passed to the setUrl method, preventing LFI exploitation due to improper validation.
Requires identification, reporting, and correction of flaws like the improper URL validation in spatie/browsershot versions before 5.0.5.
Facilitates vulnerability scanning to identify the presence of CVE-2025-1026 in deployed spatie/browsershot packages.