CVE-2021-45394
HIGHhtml2pdf < 5.2.4 - Deserialization of Untrusted Data via Malicious Link Tag
Title source: llmDescription
An issue was discovered in Spipu HTML2PDF before 5.2.4. Attackers can trigger deserialization of arbitrary data via the injection of a malicious <link> tag in the converted HTML document.
References (3)
Core 3
Core References
Product, Third Party Advisory x_refsource_misc
https://github.com/spipu/html2pdf
Exploit, Third Party Advisory x_refsource_misc
https://www.synacktiv.com/sites/default/files/2022-01/html2pdf_ssrf_deserialization.pdf
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/spipu/html2pdf/blob/master/CHANGELOG.md
Scores
CVSS v3
8.8
EPSS
0.0158
EPSS Percentile
72.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-502
CWE-918
Status
published
Products (2)
html2pdf_project/html2pdf
< 5.2.4
spipu/html2pdf
0 - 5.2.4Packagist
Published
Jan 18, 2022
Tracked Since
Feb 18, 2026