CVE-2023-24813 – CVE-2023-24813 is a critical vulnerability in D... (How to Fix)

Q: What is the severity of CVE-2023-24813?

CVE-2023-24813 has a CVSS score of 10.0 (CRITICAL). CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass URL restrictions and call arbitrary URLs with arbitrary protocols. When processing malicious SVG files, this can lead to arbitrary unserialization in PHP versions before 8.0.0, resulting in arbitrary file deletion or remote code execution. All Dompdf users processing untrusted SVG content are affected.

📋 TL;DR

CVE-2023-24813 is a critical vulnerability in Dompdf's SVG parsing that allows attackers to bypass URL restrictions and call arbitrary URLs with arbitrary protocols. When processing malicious SVG files, this can lead to arbitrary unserialization in PHP versions before 8.0.0, resulting in arbitrary file deletion or remote code execution. All Dompdf users processing untrusted SVG content are affected.

💻 Affected Systems

Products:

Dompdf

Versions: All versions before 2.0.3

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: PHP versions before 8.0.0 are particularly vulnerable due to arbitrary unserialization. The vulnerability requires processing of SVG files containing malicious attributes.

📦 What is this software?

Dompdf by Dompdf Project

View all CVEs affecting Dompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Arbitrary file deletion and potential remote code execution depending on PHP version and available classes.

🟢

If Mitigated

Limited impact with proper input validation and file processing restrictions, but still potential for information disclosure via URL calls.

🌐 Internet-Facing: HIGH - Web applications using Dompdf to process user-uploaded SVG files are directly exposed to exploitation.

🏢 Internal Only: MEDIUM - Internal systems processing untrusted SVG content remain vulnerable, though attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires an attacker to provide a malicious SVG file to Dompdf. The vulnerability is well-documented in public advisories with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.3

Vendor Advisory: https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75

Restart Required: No

Instructions:

1. Update Dompdf to version 2.0.3 or later using composer: 'composer require dompdf/dompdf:^2.0.3'. 2. Verify the update completed successfully. 3. Test PDF generation functionality to ensure compatibility.

🔧 Temporary Workarounds

Disable SVG processing

all

Temporarily disable SVG file processing in Dompdf configuration to prevent exploitation.

Modify Dompdf configuration to set 'enable_remote' to false and disable SVG parsing

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize SVG files containing href or xlink:href attributes.
Deploy network segmentation and web application firewalls to monitor and block suspicious file uploads and outbound connections.

🔍 How to Verify

Check if Vulnerable:

Check your composer.json or installed packages for Dompdf version. If version is below 2.0.3 and you process SVG files, you are vulnerable.

Check Version:

composer show dompdf/dompdf | grep versions

Verify Fix Applied:

After updating, verify the installed version is 2.0.3 or higher using 'composer show dompdf/dompdf'.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound connections from web server, unexpected file deletion events, abnormal SVG file uploads

Network Indicators:

HTTP requests to unusual external domains from web server, unexpected protocol usage in outbound connections

SIEM Query:

source="web_server" AND (event="file_deletion" OR event="svg_upload") AND process="php"

📊 Metadata

CVE ID: CVE-2023-24813

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-436

Published: February 7, 2023

Last Updated: November 21, 2024

🔗 References

https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa Patch,Vendor Advisory
https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75 Exploit,Vendor Advisory
https://github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aa Patch,Vendor Advisory
https://github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24813, you might also want to check these: