Login Sign Up

CVE-2021-34119

7.8 HIGH
Remote Code Execution Denial of Service Buffer Overflow

📋 TL;DR

CVE-2021-34119 is a heap-based buffer overflow vulnerability in HTMLDOC's parse_paragraph function that allows remote code execution or denial of service when processing malicious files. This affects systems running HTMLDOC 1.9.12 or earlier versions that parse untrusted input files. Users who convert HTML to PDF using HTMLDOC with external file sources are at risk.

💻 Affected Systems

Products:
  • HTMLDOC
Versions: 1.9.12 and earlier versions
Operating Systems: Linux, Windows, macOS, BSD
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when processing files through the parse_paragraph function.

📦 What is this software?

Htmldoc by Htmldoc Project

View all CVEs affecting Htmldoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with the privileges of the HTMLDOC process, potentially leading to full system compromise.

🟠

Likely Case

Denial of service through application crash when processing crafted files.

🟢

If Mitigated

Limited impact if HTMLDOC runs with minimal privileges and only processes trusted files.

🌐 Internet-Facing: MEDIUM - Risk exists if HTMLDOC processes files from untrusted web sources, but requires file upload/processing capability.
🏢 Internal Only: LOW - Most internal uses involve trusted document conversion workflows.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Proof of concept demonstrates crash; weaponization for RCE would require additional exploit development.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.13 and later

Vendor Advisory: https://github.com/michaelrsweet/htmldoc/security/advisories

Restart Required: No

Instructions:

1. Download HTMLDOC 1.9.13 or later from official repository. 2. Compile and install following platform-specific build instructions. 3. Replace existing HTMLDOC binary with patched version.

🔧 Temporary Workarounds

Restrict file processing

all

Limit HTMLDOC to process only trusted, validated files from known sources.

Run with reduced privileges

linux

Execute HTMLDOC with minimal user privileges to limit potential damage from exploitation.

sudo -u nobody htmldoc [options]

🧯 If You Can't Patch

  • Implement strict input validation for all files processed by HTMLDOC
  • Isolate HTMLDOC execution in container or sandbox environment

🔍 How to Verify

Check if Vulnerable:

Check HTMLDOC version: htmldoc --version. If version is 1.9.12 or earlier, system is vulnerable.

Check Version:

htmldoc --version

Verify Fix Applied:

After patching, verify version is 1.9.13 or later: htmldoc --version

📡 Detection & Monitoring

Log Indicators:

  • HTMLDOC process crashes
  • Abnormal memory usage patterns
  • Unexpected file processing errors

Network Indicators:

  • Unusual file uploads to HTMLDOC processing endpoints
  • Exploit kit traffic patterns

SIEM Query:

process_name:"htmldoc" AND (event_type:"crash" OR memory_usage:"high")

📊 Metadata

CVE ID: CVE-2021-34119
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: July 18, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-34119, you might also want to check these:

CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2025-24201 10.0

This critical vulnerability allows malicious web content to break out of the Web Content sandbox via...

Same vulnerability type (CWE-787)
CVE-2020-14871 10.0

This is a critical buffer overflow vulnerability (CWE-787) in Oracle Solaris's Pluggable Authenticat...

Same vulnerability type (CWE-787)