A high-severity security flaw has been disclosed in the open-source Dompdf PHP library that, if successfully exploited, could lead to remote code execution on a target server.
“An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available,” developer Bsweeney wrote in the advisories.
Dompdf is an HTML-to-PDF converter. At its heart, dompdf is (mostly) a CSS 2.1-compliant HTML layout and rendering engine written in PHP. It is a style-driven renderer: it will download and read external stylesheets, inline style tags, and the style attributes of individual HTML elements. It also supports most presentational HTML attributes. It has over 65 million downloads on the packagist PHP package repository.