cbcvebase.
CVE-2023-23924
published 2023-02-01

CVE-2023-23924: Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead…

PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.57%
87.9th percentile
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

Affected

5 ranges
VendorProductVersion rangeFixed in
debianphp-dompdf
dompdfdompdf
dompdfdompdf>= 0 < 2.0.22.0.2
dompdfdompdf>= 2.0.2 < 2.0.32.0.3
dompdf_projectdompdf

Detection & IOCsextracted from sources · hover to see the quote

  • Look for SVG files supplied to dompdf containing <image> or <use> tags with uppercase letters (e.g., <IMAGE>, <USE>) to bypass URI validation
  • Monitor for dompdf processing SVG inputs that reference phar:// URLs, which can trigger arbitrary object unserialization on PHP < 8.0.0
  • Alert on dompdf invoking arbitrary protocols/URLs during SVG parsing — attacker-controlled SVG files can cause outbound requests to attacker-controlled infrastructure
  • ·Arbitrary unserialize (leading to file deletion or RCE) is only exploitable on PHP versions strictly below 8.0.0; PHP 8+ is not affected by the phar deserialization chain
  • ·RCE impact depends on which PHP classes are available in the target environment (gadget chain availability); impact may be limited to arbitrary file deletion if no suitable gadget classes exist
  • ·Affected version is dompdf 2.0.1; Debian bookworm, bullseye, and sid have all resolved this CVE

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa9.8CRITICAL
osv9.8CRITICAL
vendor_debian10.0LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.