Advisories for Composer/Dompdf/Dompdf package

2024
2023

Uncontrolled Recursion

Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the …

Interpretation Conflict

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of image tags and respects xlink:href even if href is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since href is respected if both xlink:href …

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the phar URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it …

2022

Server-Side Request Forgery (SSRF)

Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0. DomPDF uses file_get_contents to obtain HTTP files when allow_url_fopen is On. In default contexts, file_get_contents will redirect whenever served with a 302 response. When developers use DomPDF with isRemoteEnabled set to true and allow_url_fopen set to true, but restrict IP addresses via a deny list, it is possible for an attacker to pass in a URL which passes this …

2015
2014

Arbitrary file read

An arbitrary file read vulnerability is present on dompdf.php file that allows remote or local attackers to read local files using a special crafted argument. This vulnerability requires the configuration flag DOMPDF_ENABLE_PHP to be enabled (which is disabled by default). Using PHP protocol and wrappers it is possible to bypass the dompdf's "chroot" protection (DOMPDF_CHROOT) which prevents dompdf from accessing system files or other files on the webserver. Please note …

2011

Code Injection

PHP remote file inclusion vulnerability in dompdf.php in dompdf allows remote attackers to execute arbitrary PHP code via a URL in the input_file parameter.