cbcvebase.
CVE-2021-3838
published 2024-11-15

CVE-2021-3838: DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents()…

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.43%
69.7th percentile
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianphp-dompdf< php-dompdf 2.0.2+dfsg-1 (bookworm)php-dompdf 2.0.2+dfsg-1 (bookworm)
dompdfdompdf>= 0 < 2.0.02.0.0
dompdfdompdf_dompdf>= unspecified < 2.0.02.0.0
dompdf_projectdompdf< 2.0.02.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • Detect use of the phar:// protocol wrapper being passed into file_get_contents() within DomPDF processing, which is the core exploitation vector for this vulnerability.
  • Monitor for PHAR file uploads to the server combined with subsequent DomPDF HTML content referencing phar:// URIs, as this two-step pattern is required for exploitation.
  • Prioritize detection in environments where DomPDF is used alongside Laravel or other PHP frameworks with known POP (Property-Oriented Programming) chains, as these dramatically increase the likelihood of RCE following successful deserialization.
  • ·The vulnerability is fixed in DomPDF version 2.0.0 and later. Debian bookworm and sid resolved it in 2.0.2+dfsg-1; Debian bullseye resolved it in 0.6.2+dfsg-3.1+deb11u1. Ensure the deployed version is at or above these thresholds before deprioritizing detection.
  • ·Exploitation requires the attacker to already have the ability to upload arbitrary file types to the server. Environments with strict upload controls (type/extension filtering) significantly reduce the attack surface.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.