CVE-2023-23924

CRITICAL

dompdf < 2.0.2 - Arbitrary Object Unserialize via SVG Image Tag Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-23924. PoCs published by motikan2010.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2023-23924, demonstrating a PHAR deserialization vulnerability in Dompdf. The exploit leverages a malicious PHAR file to achieve remote code execution (RCE) when Dompdf processes an SVG file with a crafted URI.

Description

Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing `<image>` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the `phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.

Exploits (1)

nomisec WORKING POC 9 stars

by motikan2010 · poc

https://github.com/motikan2010/CVE-2023-23924

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2023-23924, demonstrating a PHAR deserialization vulnerability in Dompdf. The exploit leverages a malicious PHAR file to achieve remote code execution (RCE) when Dompdf processes an SVG file with a crafted URI.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Dompdf (versions 2.0.1 and earlier)

No auth needed

Prerequisites: PHP environment with Dompdf installed · Ability to serve a malicious PHAR file via HTTP

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory x_refsource_confirm

https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

Patch, Third Party Advisory x_refsource_misc

https://github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85

View Patch ZIP pw:eip

Release Notes, Third Party Advisory x_refsource_misc

https://github.com/dompdf/dompdf/releases/tag/v2.0.2

Scores

CVSS v3 10.0

EPSS 0.5146

EPSS Percentile 98.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-551 CWE-863

Status published

Products (2)

dompdf/dompdf 0 - 2.0.2Packagist

dompdf_project/dompdf 2.0.1

Published Feb 01, 2023

Tracked Since Feb 18, 2026