CVE-2019-15138 — Arbitrary File Read in html-pdf

Description

All versions of `html-pdf` are vulnerable to Arbitrary File Read. The package fails to sanitize the HTML input, allowing attackers to exfiltrate server files by supplying malicious HTML code. XHR requests in the HTML code are executed by the server. Input with an XHR request such as `request.open("GET","file:///etc/passwd")` will result in a PDF document with the contents of `/etc/passwd`. ## Recommendation No fix is currently available. There is a mitigation available in the provided reference.

How to fix CVE-2019-15138

To remediate CVE-2019-15138, upgrade the affected package to a fixed version below.

—upgrade to 3.0.1 or later

Is CVE-2019-15138 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-15138
WEBgithub.com/marcbachmann/node-html-pdf
WEBgithub.com/marcbachmann/node-html-pdf/commit/c12d6977778014139183c9f8da7579fd7ac65362
WEBgithub.com/marcbachmann/node-html-pdf/issues/530