CVE-2023-41330
published 2023-09-06CVE-2023-41330: knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.88%
76.8th percentile
knplabs/knp-snappy is a PHP library allowing thumbnail, snapshot or PDF generation from a url or a html page. ## Issue On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. Version 1.4.2 added a check `if (\strpos($filename, 'phar://') === 0)` in the `prepareOutput` function to resolve this CVE, however if the user is able to control the second parameter of the `generateFromHtml()` function of Snappy, it will then be passed as the `$filename` parameter in the `prepareOutput()` function. In the original vulnerability, a file name with a `phar://` wrapper could be sent to the `fileExists()` function, equivalent to the `file_exists()` PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files. To fix this issue, the string is now passed to the `strpos()` function and if it starts with `phar://`, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using `PHAR://` instead of `phar://`. A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8. This issue has been addressed in commit `d3b742d61a` which has been included in version 1.4.3. Users are advised to upgrade. Users unable to upgrade should ensure that only trusted users may submit data to the `AbstractGenerator->generate(...)` function.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| knplabs | knp-snappy | >= 0 < 1.4.3 | 1.4.3 |
| knplabs | snappy | < 1.4.3 | 1.4.3 |
| msrc | azl3_snappy_1.1.10-2_on_azure_linux_3.0 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect PHAR wrapper bypass via case-insensitive variants (e.g., PHAR://) passed as the second parameter to generateFromHtml() or as $filename in prepareOutput() ↗
- →Monitor for PHAR deserialization attempts via file_exists()-equivalent calls (fileExists()) with attacker-controlled filenames containing phar:// or PHAR:// wrappers ↗
- →Flag exploitation attempts where user-controlled input reaches AbstractGenerator->generate(...) with PHAR-scheme filenames ↗
- →Exploitation requires a prior file upload step; correlate suspicious file uploads with subsequent PHAR deserialization triggers on PHP versions prior to 8 ↗
- ·Exploitation is limited to PHP versions prior to 8; environments running PHP 8+ are not affected by this specific PHAR deserialization vector ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Snappy PHAR deserialization vulnerability
ghsa·2023-09-08·CVSS 9.8
CVE-2023-41330 [CRITICAL] CWE-502 Snappy PHAR deserialization vulnerability
Snappy PHAR deserialization vulnerability
## Issue
On March 17th the vulnerability [CVE-2023-28115 was disclosed](https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc), allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the `phar://` wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the `phar://` string, it can be bypassed to achieve remote code execution again using a different case.
As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the `phar://` wrapper.
## Technical
OSV
Snappy PHAR deserialization vulnerability
osv·2023-09-08·CVSS 9.8
CVE-2023-41330 [CRITICAL] Snappy PHAR deserialization vulnerability
Snappy PHAR deserialization vulnerability
## Issue
On March 17th the vulnerability [CVE-2023-28115 was disclosed](https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc), allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the `phar://` wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the `phar://` string, it can be bypassed to achieve remote code execution again using a different case.
As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the `phar://` wrapper.
## Technical
Microsoft
Unsafe deserialization in knplabs/knp-snappy
vendor_msrc·2023-09-12·CVSS 9.8
CVE-2023-41330 [CRITICAL] CWE-502 Unsafe deserialization in knplabs/knp-snappy
Unsafe deserialization in knplabs/knp-snappy
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67ehttps://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjjhttps://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggchttps://github.com/KnpLabs/snappy/commit/d3b742d61a68bf93866032c2c0a7f1486128b67ehttps://github.com/KnpLabs/snappy/security/advisories/GHSA-92rv-4j2h-8mjjhttps://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
2023-09-06
Published