GHSA-342q-2mc2-5gmp
LOW@jmondi/url-to-png enables capture screenshot of localhost web services (unauthenticated pages)
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@jmondi/url-to-pngnpmDescription
Summary
The maintainer been contemplating whether FTP or other protocols could serve as useful functionalities, but there may not be a practical reason for it since we are utilizing headless Chrome to capture screenshots. The argument is based on the assumption that this package can function as a service.
The package includes an ALLOW_LIST where the host can specify which services the user is permitted to capture screenshots of. By default, capturing screenshots of web services running on localhost, 127.0.0.1, or the [::] is allowed.
The maintainer is of the opinion that the package should also have a blacklist due to a potential vulnerability (or rather design oversight). If someone hosts this on a server, users could then capture screenshots of other web services running locally.
Unless this is strictly for web pages. Something similar here: https://github.com/follow-redirects/follow-redirects/issues/235 (localhost is intended for end users or hosts to deny, and the package is for HTTP/HTTPS.)
This is marked as a LOW since the maintainer is not sure if this is a vulnerability, but it's still best to highlight it. :)
PoC
Have a service like so running locally:
const http = require("http")
const server = http.createServer((req, res) => {
console.log("Received headers:", req.headers)
res.writeHead(200, { "Content-Type": "text/plain" })
res.end("Something private! But Hello from Server 2 :)")
})
server.listen(3001, () => {
console.log("Server two running on http://localhost:3001")
})
Run the package in dev mode, pnpm dev. Feed these URLs:
http://localhost:3089/?url=http://[::]:3001&width=4000
http://localhost:3089/?url=http://localhost:3001&width=4000
http://localhost:3089/?url=http://127.0.01:3001&width=4000
Impact
Disclose internal web services?
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @jmondi/url-to-png | all versions | 2.1.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @jmondi/url-to-png. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @jmondi/url-to-png to 2.1.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-342q-2mc2-5gmp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-342q-2mc2-5gmp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-342q-2mc2-5gmp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-342q-2mc2-5gmp in your dependencies?
O3 detects GHSA-342q-2mc2-5gmp across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.