CVE-2021-3838

CRITICAL

DomPDF <2.0.0 - Code Injection

Title source: llm

Description

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

References (2)

[Patch] https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a

View Patch ZIP pw:eip

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48e

Scores

CVSS v3 9.8

EPSS 0.0365

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502

Status published

Affected Products (2)

dompdf_project/dompdf < 2.0.0

dompdf/dompdf < 2.0.0Packagist

Timeline

Published Nov 15, 2024

Tracked Since Feb 18, 2026