Deserialization of Untrusted Data in dompdf/dompdf
Critical severity
GitHub Reviewed
Published
Nov 15, 2024
to the GitHub Advisory Database
•
Updated Nov 18, 2024
Description
Published by the National Vulnerability Database
Nov 15, 2024
Published to the GitHub Advisory Database
Nov 15, 2024
Reviewed
Nov 15, 2024
Last updated
Nov 18, 2024
DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
References