Cyber Resilience

CVE-2023-24813

CriticalPublic PoC

Published: 07 February 2023

Published
07 February 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0932 92.9th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-24813 is a critical-severity Interpretation Conflict (CWE-436) vulnerability in Dompdf Project Dompdf. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 7.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Dompdf, an HTML-to-PDF converter library written in PHP, contains a protocol-handling flaw that stems from inconsistent attribute parsing between its own image-tag logic and the downstream php-svg-lib SVG parser. Dompdf honors xlink:href on image elements even when an empty href is also present, while php-svg-lib later respects the href attribute; this mismatch lets an attacker bypass intended restrictions and supply an SVG containing arbitrary URL schemes.

An unauthenticated remote attacker who can cause Dompdf to process a crafted SVG file can therefore trigger requests to arbitrary protocols. On PHP versions prior to 8.0.0 the same path reaches arbitrary unserialize, enabling at minimum file deletion and, depending on available classes, potential remote code execution. The CVSS 10.0 score reflects the combination of network reachability, lack of privileges or user interaction, and full impact on confidentiality, integrity, and availability.

The project’s security advisory and the referenced commit 95009ea98 state that the issue is resolved in release 2.0.3; users are advised to upgrade, as no workarounds are provided. The associated EPSS score has remained flat at 0.0932 with no material post-disclosure rise.

EU & UK References

Vulnerability details

Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of `image` tags…

more

and respects `xlink:href` even if `href` is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since `href` is respected if both `xlink:href` and `href` is specified, it's possible to bypass the protection on the Dompdf side by providing an empty `xlink:href` attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit `95009ea98` which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

dompdf project
dompdf
2.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References