Impact
Snappy is a PHP library used to generate thumbnails, snapshots or PDFs from web content. The flaw stems from a logic error in which the filename provided to escapeshellarg is never properly shell‑escaped on POSIX systems. The binary path passed to the system command is therefore taken literally, including any surrounding single quotes. This means that if an attacker can influence the binary path—through configuration files, environment variables, or request‑derived values—the attacker can inject arbitrary shell commands. The rest of the command line arguments are escaped correctly, so the injection vector is limited to the binary path. The impact is the potential execution of arbitrary commands at the level of the account running the PHP process, which could lead to full server compromise or data exfiltration.
Affected Systems
The vulnerability is present in the KnpLabs snappy PHP library in all releases prior to version 1.7.1. Users of older versions who rely on Snappy for rendering PDFs or images should be aware that any user‑controlled configuration or environment affecting the binary path could be exploited.
Risk and Exploitability
The CVSS score of 7.5 indicates a high severity risk. The EPSS score is not available, but the lack of a documented exploit in the KEV list does not lessen the risk because the flaw is a classic command injection scenario. Attackers can craft input that sets the binary path to a malicious value, causing the underlying system command to execute arbitrary code. The vulnerability can be exploited remotely through any public interface that allows the attacker to influence configuration or environment settings associated with Snappy.
OpenCVE Enrichment
Github GHSA