CVE-2021-45394

HIGH

Html2pdf < 5.2.4 - SSRF

Title source: rule

Description

An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.

References (3)

[Product, Third Party Advisory] https://github.com/spipu/html2pdf

[Release Notes, Third Party Advisory] https://github.com/spipu/html2pdf/blob/master/CHANGELOG.md

[Exploit, Third Party Advisory] https://www.synacktiv.com/sites/default/files/2022-01/html2pdf_ssrf_deserialization.pdf

Scores

CVSS v3 8.8

EPSS 0.0038

EPSS Percentile 58.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Classification

CWE

CWE-502 CWE-918

Status published

Affected Products (2)

html2pdf_project/html2pdf < 5.2.4

spipu/html2pdf < 5.2.4Packagist

Timeline

Published Jan 18, 2022

Tracked Since Feb 18, 2026