search

marcbachmann / node-html-pdf

This repo isn't maintained anymore as phantomjs got dreprecated a long time ago. Please migrate to headless chrome/puppeteer.
MIT License
3.56k stars 545 forks source link

npm audit gives "critical vulnerability" #594

Open arthabus opened 3 years ago

arthabus commented 3 years ago

Hi, not sure if the below info is enough, but running npm audit throws the below vulnerability:

"html-pdf": "^2.2.0"

Screen Shot 2020-10-03 at 20 57 05

Hopefully someone could look into it.

asmitachavan121 commented 3 years ago

Hi, This package is vulnerable to Arbitrary File Read attack when scanned by Veracode. This vulnerability is found in version 2.2.0(latest) Description - html-pdf is vulnerable to arbitrary file read. An attacker is able to view local files by sending an XMLHttpRequest to fetch the contents and writing it into the HTML document during conversion of a file from HTML to PDF. This is due to using an emulated scriptable headless browser known as PhantomJS to save the render into PDF format, causing the Javascript code in the file to be executed. Hopefully, this will be solved very soon.

clawdaddy commented 3 years ago

Duplicate of #530