CVE-2023-23924: Critical-Severity RCE Flaw Found in Popular Dompdf Library

A critical-severity security flaw has been disclosed in the open-source Dompdf PHP library that, if successfully exploited, could lead to remote code execution on a target server.

An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available,” developer Bsweeney wrote in the advisories.

Tracked as CVE-2023-23924 (CVSS score: 10), the bug impacts all versions of the library, including and below 2.0.1, and has been addressed in version 2.0.2 shipped yesterday.

Dompdf is an HTML-to-PDF converter. At its heart, dompdf is (mostly) a CSS 2.1-compliant HTML layout and rendering engine written in PHP. It is a style-driven renderer: it will download and read external stylesheets, inline style tags, and the style attributes of individual HTML elements. It also supports most presentational HTML attributes. It has over 65 million downloads on the packagist PHP package repository.

The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might leads to arbitrary object unserialize on PHP < 8, through the phar URL wrapper,” Bsweeney added.

Therefore, the ability to delete arbitrary files on a server could break confidentiality and integrity guarantees, potentially enabling a lousy actor to overwrite arbitrary files on the host and perform any malicious action.

A PoC to trigger CVE-2023-23924 is very easy

Users of dompdf are recommended to update to version 2.0.2 as soon as possible.