Vulnerability Description
DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Dompdf Project | Dompdf | < 2.0.0 |
Related Weaknesses (CWE)
References
- https://github.com/dompdf/dompdf/commit/99aeec1efec9213e87098d42eb09439e7ee0bb6aPatch
- https://huntr.com/bounties/0bdddc12-ff67-4815-ab9f-6011a974f48eExploitIssue TrackingPatch
FAQ
What is CVE-2021-3838?
CVE-2021-3838 is a vulnerability with a CVSS score of 9.8 (CRITICAL). DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of...
How severe is CVE-2021-3838?
CVE-2021-3838 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-3838?
Check the references section above for vendor advisories and patch information. Affected products include: Dompdf Project Dompdf.