Executive Summary

The vulnerability in JazzCore python-pdfkit 1.0.0 occurs in the from_string method, which improperly parses user-provided HTML input. This method processes meta tags with names starting with "pdfkit-" and treats their values as command-line parameters for the wkhtmltopdf tool.

Attackers can exploit this by crafting malicious HTML containing meta tags that inject dangerous arguments such as --enable-local-file-access and --post-file. This allows them to read sensitive local files (Local File Inclusion) and exfiltrate their contents.

Additionally, the vulnerability enables execution of arbitrary JavaScript code and Server-Side Request Forgery (SSRF) attacks by injecting parameters like --script. The root cause is insufficient validation of input and the ability to override developer security settings due to Python dictionary handling.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to Local File Inclusion (LFI), allowing attackers to read sensitive files on the server such as /etc/passwd.

Attackers can exfiltrate these files by sending their contents to external servers using crafted meta tags.

It also enables execution of arbitrary JavaScript code within the server context, which can be used for Server-Side Request Forgery (SSRF) attacks.

SSRF can allow attackers to make unauthorized HTTP requests to internal or external services, potentially accessing restricted resources, bypassing security controls, or extracting sensitive credentials from cloud metadata services.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying usage of the vulnerable from_string method in the python-pdfkit library, especially where user-provided HTML input is processed.

Since the vulnerability arises from malicious meta tags in HTML input that inject command-line arguments to wkhtmltopdf, monitoring for suspicious HTML containing meta tags with names starting with "pdfkit-" can help detect exploitation attempts.

On the system, you can search for usage of the from_string method in your codebase or logs.

• Use grep or similar tools to find calls to from_string in your project: grep -r "from_string" /path/to/your/code
• Inspect logs or network traffic for unusual HTTP requests containing HTML with meta tags named "pdfkit-*".
• Monitor for unexpected file access or outbound POST requests that could indicate exfiltration attempts.

No specific commands for automated detection are provided in the resources, but these manual inspection steps can help identify potential exploitation.

Useful 0 Not Useful 0

Mitigation Strategies

The simplest and most effective mitigation is to avoid using the vulnerable from_string method in the python-pdfkit library.

Instead, developers should save the HTML content to a temporary file and use the from_file method, which does not parse meta tags and thus avoids the vulnerability.

This approach eliminates the risk of command injection through meta tag manipulation.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in python-pdfkit's from_string method allows attackers to execute arbitrary JavaScript and exfiltrate local files, leading to Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF). This can result in unauthorized access to sensitive data and exposure of confidential information.

Such unauthorized data access and exfiltration can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive data to prevent breaches and unauthorized disclosures.

Therefore, exploitation of this vulnerability could compromise the confidentiality and integrity of protected data, potentially resulting in regulatory violations and associated penalties.

Useful 0 Not Useful 0