How to fix?
pdfkitto version 0.8.7 or higher.
Affected versions of this package are vulnerable to Command Injection where the URL is not properly sanitized.
An application could be vulnerable if it tries to render a URL that contains query string parameters with user input:
to_pdf on the instance shows that the
sleep command is indeed executing:
Of course, if the user can control completely the first argument of the PDFKit constructor, they can also exploit the command injection as long as it starts with "http":