Login Sign Up

CVE-2023-50252

8.3 HIGH
Remote Code Execution Deserialization

📋 TL;DR

This vulnerability in php-svg-lib allows attackers to perform PHAR deserialization attacks via malicious SVG files containing unsanitized href attributes in <use> tags referencing <image> tags. This can lead to remote code execution on affected systems. The vulnerability affects PHP applications using php-svg-lib versions prior to 0.5.1 with PHP versions prior to 8.0.

💻 Affected Systems

Products:
  • php-svg-lib
Versions: All versions prior to 0.5.1
Operating Systems: All operating systems running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP versions prior to 8.0 for PHAR deserialization exploitation. PHP 8.0+ has mitigations against PHAR deserialization attacks.

📦 What is this software?

Php Svg Lib by Dompdf

View all CVEs affecting Php Svg Lib →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Arbitrary file read leading to sensitive information disclosure and potential PHAR deserialization attacks.

🟢

If Mitigated

Limited impact with proper input validation and file system restrictions in place.

🌐 Internet-Facing: HIGH - SVG file upload functionality is common in web applications and can be exploited remotely.
🏢 Internal Only: MEDIUM - Internal applications processing SVG files could be exploited by authenticated users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires SVG file upload capability or SVG processing functionality. The vulnerability is well-documented with public advisories and patches.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.5.1

Vendor Advisory: https://github.com/dompdf/php-svg-lib/security/advisories/GHSA-jq98-9543-m4cr

Restart Required: No

Instructions:

1. Update php-svg-lib to version 0.5.1 or later using composer: 'composer update dompdf/php-svg-lib'. 2. Verify the update completed successfully. 3. Test SVG processing functionality.

🔧 Temporary Workarounds

Input Validation for SVG Files

all

Implement strict input validation and sanitization for SVG file uploads and processing.

Disable SVG Processing

all

Temporarily disable SVG file upload and processing functionality if not essential.

🧯 If You Can't Patch

  • Implement strict file upload restrictions to block SVG files
  • Upgrade to PHP 8.0+ to mitigate PHAR deserialization exploitation

🔍 How to Verify

Check if Vulnerable:

Check composer.json or installed packages for php-svg-lib version. Run: 'composer show dompdf/php-svg-lib'

Check Version:

composer show dompdf/php-svg-lib | grep versions

Verify Fix Applied:

Verify installed version is 0.5.1 or later: 'composer show dompdf/php-svg-lib | grep versions'

📡 Detection & Monitoring

Log Indicators:

  • Unusual SVG file uploads
  • Errors in SVG parsing logs
  • PHAR deserialization attempts in application logs

Network Indicators:

  • SVG file uploads with suspicious href attributes
  • Requests to unusual file paths following SVG uploads

SIEM Query:

source=web_logs (file_extension=svg OR content_type=image/svg+xml) AND (uri CONTAINS 'phar://' OR user_agent CONTAINS 'exploit')

📊 Metadata

CVE ID: CVE-2023-50252
CVSS v3 Score: 8.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
CWE: CWE-15
Published: December 12, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-50252, you might also want to check these:

CVE-2024-4326 9.8

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable v...

Same vulnerability type (CWE-15)
CVE-2026-22708 9.8

This vulnerability in Cursor AI code editor allows attackers to execute shell built-ins without allo...

Same vulnerability type (CWE-15)
CVE-2021-38453 9.1

This vulnerability allows attackers to interact with the Windows registry through exposed API functi...

Same vulnerability type (CWE-15)