CVE-2023-23924
published 2023-02-01CVE-2023-23924: Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.57%
87.9th percentile
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | php-dompdf | — | — |
| dompdf | dompdf | — | — |
| dompdf | dompdf | >= 0 < 2.0.2 | 2.0.2 |
| dompdf | dompdf | >= 2.0.2 < 2.0.3 | 2.0.3 |
| dompdf_project | dompdf | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Look for SVG files supplied to dompdf containing <image> or <use> tags with uppercase letters (e.g., <IMAGE>, <USE>) to bypass URI validation ↗
- →Monitor for dompdf processing SVG inputs that reference phar:// URLs, which can trigger arbitrary object unserialization on PHP < 8.0.0 ↗
- →Alert on dompdf invoking arbitrary protocols/URLs during SVG parsing — attacker-controlled SVG files can cause outbound requests to attacker-controlled infrastructure ↗
- ·Arbitrary unserialize (leading to file deletion or RCE) is only exploitable on PHP versions strictly below 8.0.0; PHP 8+ is not affected by the phar deserialization chain ↗
- ·RCE impact depends on which PHP classes are available in the target environment (gadget chain availability); impact may be limited to arbitrary file deletion if no suitable gadget classes exist ↗
- ·Affected version is dompdf 2.0.1; Debian bookworm, bullseye, and sid have all resolved this CVE ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian10.0LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
ghsa·2023-02-07·CVSS 9.8
CVE-2023-24813 [CRITICAL] CWE-436 URI validation failure on SVG parsing. Bypass of CVE-2023-23924
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
### Summary
Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.
### Details
Dompdf parses the href attribute of `image` tags with the following code:
[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)
``` php
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if (strtolower($name) === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
$url = $attributes["xlink:href"] ?? $attributes["href"];
if (!empty($url)) {
$inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"],
OSV
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
osv·2023-02-07·CVSS 9.8
CVE-2023-24813 [CRITICAL] URI validation failure on SVG parsing. Bypass of CVE-2023-23924
URI validation failure on SVG parsing. Bypass of CVE-2023-23924
### Summary
Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols.
### Details
Dompdf parses the href attribute of `image` tags with the following code:
[`src/Image/Cache.php` line 135-150](https://github.com/dompdf/dompdf/blob/2a8a6b80fcaa5148ace50f35a10979fe00c6a35d/src/Image/Cache.php#L135-L150)
``` php
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if (strtolower($name) === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
$url = $attributes["xlink:href"] ?? $attributes["href"];
if (!empty($url)) {
$inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"],
GHSA
Dompdf vulnerable to URI validation failure on SVG parsing
ghsa·2023-02-01
CVE-2023-23924 [CRITICAL] CWE-551 Dompdf vulnerable to URI validation failure on SVG parsing
Dompdf vulnerable to URI validation failure on SVG parsing
### Summary
The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP ` tags, in src/Image/Cache.php :
```
if ($type === "svg") {
$parser = xml_parser_create("utf-8");
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
xml_set_element_handler(
$parser,
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if ($name === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
```
This part will try to detect `` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which mean
OSV
Dompdf vulnerable to URI validation failure on SVG parsing
osv·2023-02-01
CVE-2023-23924 [CRITICAL] Dompdf vulnerable to URI validation failure on SVG parsing
Dompdf vulnerable to URI validation failure on SVG parsing
### Summary
The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This might leads to arbitrary object unserialize on PHP ` tags, in src/Image/Cache.php :
```
if ($type === "svg") {
$parser = xml_parser_create("utf-8");
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
xml_set_element_handler(
$parser,
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if ($name === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
```
This part will try to detect `` tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which mean
Debian
CVE-2023-23924: php-dompdf - Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be by...
vendor_debian·2023·CVSS 10.0
CVE-2023-23924 [CRITICAL] CVE-2023-23924: php-dompdf - Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be by...
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
Scope: local
bookworm: resolved
bullseye: resolved
sid: resolved
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85https://github.com/dompdf/dompdf/releases/tag/v2.0.2https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qghttps://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85https://github.com/dompdf/dompdf/releases/tag/v2.0.2https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg
2023-02-01
Published