CVE-2021-3902 – This XXE vulnerability in dompdf's SVG parser a... (How to Fix)

📋 TL;DR

This XXE vulnerability in dompdf's SVG parser allows attackers to perform Server-Side Request Forgery (SSRF), access internal files, and execute PHAR deserialization attacks. It affects all versions of dompdf before 2.0.0 and can be exploited even when remote resource loading is disabled. Any application using vulnerable dompdf versions to process SVG files is at risk.

💻 Affected Systems

Products:

dompdf/dompdf

Versions: All versions prior to 2.0.0

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerable even when isRemoteEnabled is set to false. Requires SVG file processing capability.

📦 What is this software?

Dompdf by Dompdf Project

View all CVEs affecting Dompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise through PHAR deserialization leading to remote code execution, data exfiltration, and lateral movement within the network.

🟠

Likely Case

SSRF attacks accessing internal services, reading sensitive files from the server filesystem, and potential denial of service.

🟢

If Mitigated

Limited impact if SVG processing is disabled or input validation blocks malicious SVG files.

🌐 Internet-Facing: HIGH - Any web application processing user-uploaded SVG files with dompdf is directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications processing SVG files remain vulnerable but have reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires SVG file upload or injection. Public proof-of-concept code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.0

Vendor Advisory: https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

Restart Required: No

Instructions:

1. Update dompdf to version 2.0.0 or later using composer: composer require dompdf/dompdf:^2.0.0
2. Test SVG processing functionality after update
3. No server restart required for PHP applications

🔧 Temporary Workarounds

Disable SVG processing

all

Temporarily disable SVG file processing in dompdf configuration

Set $dompdf->set_option('enable_svg', false); in your PHP code

Input validation for SVG files

all

Implement strict validation of SVG file content before processing

Use XML validation to block external entity declarations in SVG files

🧯 If You Can't Patch

Implement WAF rules to block SVG files containing XXE payloads
Isolate dompdf processing to a restricted network segment with no internal access

🔍 How to Verify

Check if Vulnerable:

Check composer.json or vendor/dompdf/dompdf/VERSION file for version number. Versions below 2.0.0 are vulnerable.

Check Version:

php -r "require 'vendor/autoload.php'; echo \Dompdf\Dompdf::VERSION;"

Verify Fix Applied:

Verify dompdf version is 2.0.0 or higher. Test SVG processing with known safe files.

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Outbound HTTP requests from dompdf to internal IPs
PHP errors related to XML parsing

Network Indicators:

HTTP requests from application server to internal services on unusual ports
File read attempts via file:// protocol

SIEM Query:

source="web_server" AND (uri_path="*.svg" OR user_agent CONTAINS "dompdf") AND status_code=200

📊 Metadata

CVE ID: CVE-2021-3902

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-611

Published: November 15, 2024

Last Updated: November 19, 2024

🔗 References

https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799 Patch
https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1 Exploit,Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-3902, you might also want to check these: