PDFKit vulnerable to Command Injection
Published: September 10, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2022-25765 (NVD)
- GHSA: GHSA-rhwx-hjx2-x4qr
- Vendor Advisory: https://github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfkit/pdfkit.rb#L55-L58
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
>= 0.8.7.2
DESCRIPTION
The package pdfkit from version 0.0.0 through version 0.8.6 is vulnerable to Command Injection where the URL is not properly sanitized.