CVE-2019-1000005: Deserialization of Untrusted Data

May 14, 2022 (updated July 19, 2023)

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content . This vulnerability appears to have been fixed in 7.1.8.

References

github.com/advisories/GHSA-3cwc-m7c2-qr86
github.com/mpdf/mpdf/issues/949
nvd.nist.gov/vuln/detail/CVE-2019-1000005

Code Behaviors & Features

Detect and mitigate CVE-2019-1000005 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →