CVE-2021-3838
📋 TL;DR
CVE-2021-3838 is a PHAR deserialization vulnerability in DomPDF that allows attackers to achieve remote code execution by uploading malicious files. This affects web applications using DomPDF before version 2.0.0, particularly when combined with frameworks like Laravel that have documented POP chains. The vulnerability enables attackers to instantiate arbitrary PHP objects and execute code on the server.
💻 Affected Systems
- DomPDF
📦 What is this software?
Dompdf by Dompdf Project
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.
Likely Case
Remote code execution with the privileges of the web server process, potentially allowing file system access, database access, and further exploitation.
If Mitigated
Limited impact if file uploads are restricted or DomPDF is not exposed to untrusted input, though the vulnerability still exists in the codebase.
🎯 Exploit Status
Exploitation requires the ability to upload files to the server. The vulnerability is well-documented with public proof-of-concept code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6a
Restart Required: No
Instructions:
1. Update DomPDF to version 2.0.0 or later using composer: 'composer require dompdf/dompdf:^2.0'. 2. Verify the update by checking the version in composer.json or running 'composer show dompdf/dompdf'. 3. Test PDF generation functionality to ensure compatibility.
🔧 Temporary Workarounds
Restrict file upload protocols
allImplement input validation to block or sanitize protocol wrappers like 'phar://' in file paths before passing to DomPDF.
Not applicable - requires code changes
Disable PHAR deserialization
linuxConfigure PHP to disable the 'phar' stream wrapper if not needed: 'phar.readonly = 1' in php.ini.
echo 'phar.readonly = 1' >> /etc/php/8.x/apache2/php.ini
systemctl restart apache2
🧯 If You Can't Patch
- Implement strict file upload controls: validate file types, restrict upload directories, and use random filenames.
- Isolate DomPDF usage to trusted input sources only and implement web application firewall rules to block suspicious requests.
🔍 How to Verify
Check if Vulnerable:
Check the DomPDF version in composer.json or vendor/dompdf/dompdf/VERSION. If version is below 2.0.0, the system is vulnerable.Check Version:
composer show dompdf/dompdf | grep versionVerify Fix Applied:
Confirm DomPDF version is 2.0.0 or higher using 'composer show dompdf/dompdf' or checking the VERSION file.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with 'phar://' protocol in request parameters
- PHP errors related to unserialization or unexpected object instantiation
- Increased PDF generation failures or errors
Network Indicators:
- HTTP POST requests with file uploads containing serialized data
- Requests to PDF generation endpoints with unusual parameters
SIEM Query:
source="web_logs" AND (uri_path="*pdf*" OR uri_path="*dompdf*") AND (request_body="*phar://*" OR param="*phar://*")