DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
The application does not verify the protocol passed to the file_get_contents() function, which allows an attacker to substitute a URI with a phar:// prefix. If the attacker is able to upload a file of any type to the server (e.g., through an upload form), they can prepare a PHAR archive containing serialized PHP objects. Passing a phar:// path to the vulnerable function causes automatic deserialization of the archive metadata and instantiation of arbitrary PHP classes available in the application. Combined with existing POP (Property-Oriented Programming) chains, arbitrary code execution on the server side is possible.
An attacker can gain full control over the server through remote code execution (RCE), and can also compromise the confidentiality, integrity, and availability of data processed by the application.
DomPDF should be updated to version 2.0.0 or newer, which includes protocol verification before passing values to file_get_contents(). The fix is available in commit 99aeec1efec9213e87098d42eb09439e7ee0bb6a. Additionally, it is recommended to restrict file upload capabilities to authenticated and authorized users only, and to validate file extensions and MIME types of uploaded files.
DomPDF in versions before 2.0.0 (dompdf/dompdf project).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HDompdf Project Dompdf
APPDompdf Project< 2.0.0
Related vulnerabilities
XXE w parserze SVG biblioteki dompdf umożliwia SSRF i PHAR deserialization
Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and...
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passi...
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Styl...
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation f...