Cyber Resilience

CVE-2025-1026

Medium

Published: 05 February 2025

Published
05 February 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0016 37.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1026 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Snyk (inferred from references). Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1026 is an Improper Input Validation vulnerability (CWE-20) affecting versions of the PHP package spatie/browsershot prior to 5.0.5. The issue stems from inadequate URL validation in the setUrl method, enabling a Local File Inclusion (LFI) attack that allows attackers to read sensitive files on the server. Published on 2025-02-05, this vulnerability carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) and represents a bypass of the mitigation for the related CVE-2024-21549.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. By supplying a specially crafted URL to the setUrl method—such as one using file protocol schemes or path traversal techniques—an attacker can trick the package into loading and exposing contents of arbitrary local files, including sensitive configuration files, credentials, or system data, without impacting integrity or availability.

Mitigation involves upgrading to spatie/browsershot version 5.0.5 or later, where the fix is implemented via commit e3273974506865a24fbb5b65b534d8d4b8dfbf72 and pull request #908. Security advisories from Snyk detail the vulnerability and recommend validating all user-supplied inputs to the setUrl method, while proof-of-concept exploits are available in referenced GitHub gists.

EU & UK References

Vulnerability details

Versions of the package spatie/browsershot before 5.0.5 are vulnerable to Improper Input Validation due to improper URL validation through the setUrl method, which results in a Local File Inclusion allowing the attacker to read sensitive files. **Note:** This is a…

more

bypass of the fix for [CVE-2024-21549](https://security.snyk.io/vuln/SNYK-PHP-SPATIEBROWSERSHOT-8533023).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
Why these techniques?

Remote unauthenticated LFI via crafted input to public-facing PHP app directly enables T1190 exploitation and subsequent local file/credential reads via T1005/T1552.001.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1022Shared CWE-20
CVE-2025-50151Shared CWE-20
CVE-2024-13681Shared CWE-20
CVE-2026-22444Shared CWE-20
CVE-2026-21858Shared CWE-20
CVE-2026-4755Shared CWE-20
CVE-2026-6973Shared CWE-20
CVE-2026-23836Shared CWE-20
CVE-2025-12275Shared CWE-20
CVE-2025-21344Shared CWE-20

Affected Assets

Snyk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates input validation mechanisms for URLs passed to the setUrl method, preventing LFI exploitation due to improper validation.

prevent

Requires identification, reporting, and correction of flaws like the improper URL validation in spatie/browsershot versions before 5.0.5.

detect

Facilitates vulnerability scanning to identify the presence of CVE-2025-1026 in deployed spatie/browsershot packages.

References