CVE-2023-24813 (CVSS score of 10): RCE Flaw in Dompdf Project

A critical-severity security flaw has been disclosed in the open-source Dompdf library that, if successfully exploited, could lead to remote code execution on a target server.

The vulnerability tracked as CVE-2023-24813 was discovered by Ry0taK, and was given a maximum CVSS3 Base Score of 10 by Github.

Dompdf is an HTML-to-PDF converter. At its heart, dompdf is (mostly) a CSS 2.1-compliant HTML layout and rendering engine written in PHP. It is a style-driven renderer: it will download and read external stylesheets, inline style tags, and the style attributes of individual HTML elements. It also supports most presentational HTML attributes. It has over 65 million downloads on the packagist PHP package repository.

CVE-2023-24813 could allow a remote attacker to upload arbitrary files, caused by the unsafe deserialization of data by the attribute parser of Dompdf and php-svg-lib. By sending a specially-crafted HTTP request, an attacker could exploit this vulnerability to upload a malicious SVG file, which could allow the attacker to call arbitrary URLs, allowing an attacker to execute arbitrary code on the vulnerable system. The vulnerability occurred due to an incomplete fix of the CVE-2023-23924 bug, which resulted in patch bypass and vulnerability activation.

“An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes,” the developer Bsweeney said in a report published today.

The vulnerability can be exploited in low-complexity attacks without requiring privileges on the targeted servers or user interaction. The issue impacts version 2.0.2 of the library and has been addressed in version 2.0.3.