Recommendation
This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether.
Original Advisory
All versions of html-pdf-chrome are vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as <iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment.
References
Recommendation
This package is working as intended. A Security section has been added since v0.6.1 to detail proper usage of this library. Npm has revoked their advisory altogether.
Original Advisory
All versions of
html-pdf-chromeare vulnerable to Server-Side Request Forgery (SSRF). The package executes HTTP requests if the parsed HTML contains external references to resources, such as<iframe src="http://localhost" height="800px" width="800px"></iframe>. This allows attackers to access resources through HTTP that are accessible to the server, including private resources in the hosting environment.References