CVE-2014-2383

EXPLOITED NUCLEI

dompdf <0.6.1 - Auth Bypass

Title source: llm

Description

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

Exploits (2)

exploitdb WRITEUP VERIFIED

by Portcullis · textwebappsphp

https://www.exploit-db.com/exploits/33004

View Code ZIP pw:eip

nomisec WORKING POC 1 stars

by Relativ3Pa1n · remote

https://github.com/Relativ3Pa1n/CVE-2014-2383-LFI-to-RCE-Escalation

View Code ZIP pw:eip

Nuclei Templates (1)

Dompdf < v0.6.0 - Local File Inclusion

MEDIUMVERIFIEDby 0x_Akoko,akincibor,ritikchaddha

References (5)

[Various Sources] https://explore.avertium.com/resource/lfi-rfi-escalation-to-rce

[Mailing List, Third Party Advisory] http://seclists.org/fulldisclosure/2014/Apr/258

[Broken Link, Third Party Advisory, VDB Entry] http://www.securityfocus.com/archive/1/531912/100/0/threaded

[Patch, Third Party Advisory] https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028

[Broken Link] https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/

Scores

EPSS 0.5489

EPSS Percentile 98.0%

Details

VulnCheck KEV 2025-06-07

CWE

CWE-200

Status published

Products (2)

dompdf/dompdf < 0.6.0

dompdf/dompdf 0.6.0 - 0.6.1Packagist

Published Apr 28, 2014

Tracked Since Feb 18, 2026