CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library


A high-severity security flaw has been disclosed in the open-source Dompdf PHP library that, if successfully exploited, could lead to remote code execution on a target server.

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available,” developer Bsweeney wrote in the advisories.

Tracked as CVE-2023-23924 (CVSS score: 10), the bug impacts all versions of the library, including and below 2.0.1, and has been addressed in version 2.0.2 shipped yesterday.

Dompdf is an HTML-to-PDF converter. At its heart, dompdf is (mostly) a CSS 2.1-compliant HTML layout and rendering engine written in PHP. It is a style-driven renderer: it will download and read external stylesheets, inline style tags, and the style attributes of individual HTML elements. It also supports most presentational HTML attributes. It has over 65 million downloads on the packagist PHP package repository.

Read more…