CVE-2022-25765 _ Command Injection in pdfkit
📄

CVE-2022-25765 _ Command Injection in pdfkit

📅 [ Archival Date ]
Dec 7, 2022 7:52 PM
🏷️ [ Tags ]
pdfkitruby
✍️ [ Author ]
Benoit Côté-Jodoin
💣 [ PoC / Exploit ]

INTRODUCED: 14 JUN 2022

How to fix?

Upgrade pdfkit to version 0.8.7 or higher.

Overview

Affected versions of this package are vulnerable to Command Injection where the URL is not properly sanitized.

PoC:

An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:

Calling to_pdf on the instance shows that the sleep command is indeed executing:

Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with "http":

References