cbcvebase.
CVE-2022-35583
published 2022-08-22

CVE-2022-35583: wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
11.28%
95.4th percentile
wkhtmlTOpdf 0.12.6 is vulnerable to SSRF which allows an attacker to get initial access into the target's system by injecting iframe tag with initial asset IP address on it's source. This allows the attacker to takeover the whole infrastructure by accessing their internal assets.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianpandoc
debianwkhtmltopdf
wkhtmltopdfwkhtmltopdf

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /PDF/FromHTML HTTP/1.1
path/PDF/FromHTML
command__RequestVerificationToken=Token&header=....&data= ....
  • Monitor HTTP POST requests to PDF-generation endpoints (e.g. /PDF/FromHTML) containing HTML payloads with injected <iframe> tags referencing internal/RFC-1918 IP addresses, which is the SSRF delivery mechanism for this CVE.
  • Inspect the `data` or `header` POST body parameters submitted to wkhtmltopdf-backed PDF generation endpoints for embedded <iframe src="http://...internal..."> payloads.
  • Alert on outbound HTTP/HTTPS requests originating from the wkhtmltopdf process (or its parent web application) to internal/private IP ranges, as this indicates successful SSRF exploitation.
  • ·The exploit was tested specifically on Windows ASP.NET deployments of wkhtmltopdf 0.12.6; detection logic targeting the /PDF/FromHTML endpoint may need to be adapted for other framework-specific endpoint paths.
  • ·Debian bookworm and bullseye packages remain open/unpatched for CVE-2022-35583 as of the tracker data; environments running wkhtmltopdf from Debian repos should treat the vulnerability as unmitigated.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vulncheck9.8CRITICAL
vendor_debian9.8LOW
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.