Login Sign Up

CVE-2022-28368

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2022-28368 is a critical remote code execution vulnerability in Dompdf, a PHP library for generating PDFs from HTML. Attackers can exploit this by embedding malicious CSS @font-face rules with PHP file references in HTML input, allowing arbitrary code execution on the server. Any application using Dompdf to process untrusted HTML input is affected.

💻 Affected Systems

Products:
  • Dompdf
Versions: Versions before 1.2.2
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing HTML with CSS @font-face rules from untrusted sources.

📦 What is this software?

Dompdf by Dompdf Project

View all CVEs affecting Dompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise allowing attackers to execute arbitrary commands, steal data, install backdoors, or pivot to other systems.

🟠

Likely Case

Remote code execution leading to data theft, website defacement, or cryptocurrency mining malware installation.

🟢

If Mitigated

Limited impact if Dompdf only processes trusted HTML sources or runs in sandboxed environments.

🌐 Internet-Facing: HIGH - Web applications accepting user HTML for PDF generation are directly exploitable.
🏢 Internal Only: MEDIUM - Internal applications processing untrusted HTML could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code available on Packet Storm and GitHub. Exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2 and later

Vendor Advisory: https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

Restart Required: No

Instructions:

1. Update Dompdf to version 1.2.2 or later via Composer: composer require dompdf/dompdf:^1.2.2
2. Clear Composer cache: composer clearcache
3. Test PDF generation functionality.

🔧 Temporary Workarounds

Input sanitization

all

Sanitize HTML input to remove or validate @font-face CSS rules before processing with Dompdf.

Restrict file protocol

all

Configure Dompdf to disallow file:// protocol in font URLs via Dompdf options.

$dompdf->set_option('isRemoteEnabled', false);

🧯 If You Can't Patch

  • Disable Dompdf processing of untrusted HTML input entirely.
  • Run Dompdf in a sandboxed container with minimal permissions and network access.

🔍 How to Verify

Check if Vulnerable:

Check if Dompdf version is below 1.2.2 by examining composer.json or vendor/dompdf/dompdf/VERSION file.

Check Version:

php -r "require 'vendor/autoload.php'; echo \Dompdf\Dompdf::VERSION;"

Verify Fix Applied:

Confirm Dompdf version is 1.2.2 or higher and test with known exploit payloads to ensure they're blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PHP file execution in Dompdf temp directories
  • HTTP requests with CSS @font-face containing .php extensions

Network Indicators:

  • Outbound connections from web server to suspicious domains after PDF generation

SIEM Query:

source="web_logs" AND (uri="*.php" AND user_agent LIKE "%Dompdf%")

📊 Metadata

CVE ID: CVE-2022-28368
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-79
Published: April 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28368, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)