Login Sign Up

CVE-2023-23924

10.0 CRITICAL
Remote Code Execution

📋 TL;DR

Dompdf 2.0.1 has an SVG parsing vulnerability where URI validation can be bypassed using uppercase letters in <image> tags. This allows attackers to exploit PHP's phar wrapper for arbitrary unserialization on PHP < 8, leading to file deletion or remote code execution. Any system using dompdf 2.0.1 with PHP < 8.0.0 that processes SVG files is affected.

💻 Affected Systems

Products:
  • dompdf
Versions: 2.0.1 only
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP versions before 8.0.0 for full exploitation via phar unserialization.

📦 What is this software?

Dompdf by Dompdf Project

View all CVEs affecting Dompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement.

🟠

Likely Case

Arbitrary file deletion and potential remote code execution if vulnerable classes are available.

🟢

If Mitigated

Limited impact if SVG uploads are restricted or PHP 8+ is used.

🌐 Internet-Facing: HIGH - Web applications accepting SVG uploads for PDF generation are directly exposed.
🏢 Internal Only: MEDIUM - Internal systems processing user-provided SVGs remain vulnerable but with reduced attack surface.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation is straightforward with publicly available proof-of-concept code. Attack only requires SVG file upload capability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.2

Vendor Advisory: https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

Restart Required: No

Instructions:

1. Update dompdf to version 2.0.2 or later via composer: composer require dompdf/dompdf:^2.0.2
2. Verify the update with: composer show dompdf/dompdf
3. Clear any cached files or restart PHP-FPM if applicable.

🔧 Temporary Workarounds

Disable SVG processing

all

Prevent dompdf from processing SVG files entirely

Modify dompdf configuration to reject SVG input or implement file type validation before processing

Upgrade PHP to 8.0+

linux

PHP 8+ removes the phar unserialization vector

apt-get install php8.0
yum install php8.0
brew install php@8.0

🧯 If You Can't Patch

  • Implement strict file upload validation to reject SVG files
  • Use web application firewall rules to block SVG uploads to dompdf endpoints

🔍 How to Verify

Check if Vulnerable:

Check dompdf version: composer show dompdf/dompdf | grep version. If version is exactly 2.0.1 and PHP version is < 8.0.0, system is vulnerable.

Check Version:

composer show dompdf/dompdf | grep version

Verify Fix Applied:

Confirm dompdf version is 2.0.2 or higher: composer show dompdf/dompdf | grep version

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed SVG upload attempts
  • Unusual file processing errors from dompdf
  • PHP unserialization warnings in error logs

Network Indicators:

  • HTTP POST requests with SVG files to PDF generation endpoints
  • Unusual outbound connections following SVG uploads

SIEM Query:

source="web_logs" AND (uri="*pdf*" OR uri="*convert*") AND (file_extension="svg" OR content_type="image/svg+xml")

📊 Metadata

CVE ID: CVE-2023-23924
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:H
CWE: CWE-551
Published: February 1, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23924, you might also want to check these:

CVE-2021-32777 8.6

Envoy's ext-authz extension fails to properly merge multiple-value headers when sending requests to ...

Same vulnerability type (CWE-551)
CVE-2021-32779 8.6

This vulnerability in Envoy proxy allows attackers to bypass path-based authorization controls by in...

Same vulnerability type (CWE-551)
CVE-2023-6394 7.4

CVE-2023-6394 is an authentication bypass vulnerability in Quarkus where GraphQL operations over Web...

Same vulnerability type (CWE-551)