An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.
The SVG parser in dompdf improperly restricts the processing of external XML entities (XXE), which allows embedding malicious references to external resources in an SVG document. An attacker can thus trigger SSRF requests to the server's internal infrastructure, disclose internal graphic files, and conduct a PHAR deserialization attack by providing an appropriately crafted file. Importantly, the vulnerability is active even when the isRemoteEnabled option is set to false, which contradicts the common belief in the effectiveness of this security measure.
An attacker can gain unauthorized access to internal network resources (SSRF), disclose sensitive files from the server, and perform a deserialization attack that potentially leads to server takeover (RCE).
The dompdf library should be updated to version 2.0.0 or later. Patch details are available in the vendor references at: https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799
All versions of the dompdf/dompdf library prior to 2.0.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDompdf Project Dompdf
APPDompdf Project< 2.0.0
Related vulnerabilities
RCE przez PHAR deserialization w DomPDF przed wersją 2.0.0
Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and...
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passi...
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Styl...
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation f...