Versions of the package spatie/browsershot before 5.0.2 are vulnerable to Directory Traversal due to URI normalisation in the browser where the file:// check can be bypassed with file:\\. An attacker could read any file on the server by exploiting the normalization of \ into /.

Affected Packages

Packagist spatie/browsershot

Affected versions: 0 (fixed in 5.0.2)

Related CVEs

CVE-2024-21547

Key Information

GHSA ID

GHSA-v528-6rq9-h6gw

Published

December 18, 2024 6:30 AM

Last Modified

December 18, 2024 3:48 PM

CVSS Score

7.5 /10

Primary Ecosystem

Packagist

Primary Package

spatie/browsershot

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 19, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.