GHSA-vvmv-wrvp-9gjr
MEDIUM@jmondi/url-to-png contains a Path Traversal vulnerability
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
@jmondi/url-to-pngReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
When trying to add a BLOCK_LIST feature when the maintainer noticed they didn't sanitize the ImageId in the code, which leads to path traversal vulnerability. Now, this is different from a traditional path traversal issue, because as of NOW you can store the image in any place arbitrarily, and given enough time they might be able to come up with a working exploit BUT for the time being they am reporting this.
Details
@jmondi/url-to-png does not sanitizing the ImageID as in not removing special chars from the params (extract_query_params.ts#l75)
const imageId = dateString + "." + slugify(validData.url) +configToString(params);
This when fed to other parts of the code such as (filesystem.ts#L34)
return path.join(this.storagePath, imageId) + ".png";
Would result in path traversal issue.
PoC
# Configuration for filesystem storage provider (optional)
STORAGE_PROVIDER=filesystem
IMAGE_STORAGE_PATH=poc
Set this in your .env file and use this as your payload.
http://localhost:3089/?url=http://example.com&width=400&isDarkMode=../../../../../../../../../../../../tmp/hack
This will create a .png file in the /tmp section of the system.
Loom POC: https://www.loom.com/share/bd7b306cdae7445c97e68f0626e743a6
This is valid for pretty much all the arguments (except for numeric values)
A simple fix would be to use the slugify for the params as well like so (#L75)
- const imageId = dateString + "." + slugify(validData.url) + configToString(params);
+ const imageId = dateString + "." + slugify(validData.url) + slugify(configToString(params));
Impact
This would be path traversal vulnerability which allows arbitrary write as of now.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @jmondi/url-to-png | all versions | 2.1.2 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @jmondi/url-to-png. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @jmondi/url-to-png to 2.1.2 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-vvmv-wrvp-9gjr is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-vvmv-wrvp-9gjr is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-vvmv-wrvp-9gjr. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-vvmv-wrvp-9gjr in your dependencies?
O3 detects GHSA-vvmv-wrvp-9gjr across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.