CVE-2023-50262
Published: 13 December 2023
Summary
CVE-2023-50262 is a medium-severity Improper Input Validation (CWE-20) vulnerability in Dompdf Project Dompdf. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 9.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Dompdf is an HTML-to-PDF converter for PHP that relies on php-svg-lib for SVG handling. Prior to version 2.0.4, its image cache validation in Cache.php failed to detect recursive references when two or more SVG documents referenced each other through image elements. Although single-document self-references were blocked, chained references were not, allowing unbounded recursion during SVG parsing that could exhaust available memory or exceed execution time limits.
An unauthenticated remote attacker can supply a crafted HTML document containing malicious SVG references. When Dompdf processes the payload, the recursion triggers resource exhaustion on the server, crashing the worker process or degrading overall availability. The attack requires only network access and succeeds against default configurations that accept user-supplied HTML containing SVG images.
The project addressed the flaw in version 2.0.4 with updated validation logic that also covers chained references; the fix is documented in the corresponding GitHub security advisory and commit. The associated EPSS score has remained flat at 0.0615 with no observed increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-3086
Vulnerability details
Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself.…
more
However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. php-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images. When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 2.0.4 contains a fix for this issue.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Prevents uncontrolled recursion that exhausts stack or CPU resources.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.