Restrictive composer.json makes Dompdf vulnerable to URI validation failure on SVG parsing in microweber/microweber


Reported on

Feb 2nd 2023


The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing <image> tags with uppercase letters. This might lead to arbitrary object unserialize on PHP < 8, through the phar URL wrapper.

The bug occurs during SVG parsing of <image> tags, in src/Image/Cache.php:

    $parser = xml_parser_create("utf-8");
    xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
        function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
            if ($name === "image") {
                $attributes = array_change_key_case($attributes, CASE_LOWER) 

This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the `$name comparison with "image" is case sensitive, which means that such a tag in the SVG will pass the PoC below

Proof of Concept

    <Image xlink:href="phar:///foo"></Image>


An attacker might be able to exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will leads at the very least to an arbitrary file deletion, and might leads to remote code execution, depending on classes that are available.

We are processing your report and will contact the microweber team within 24 hours. 2 months ago
Martian1337 modified the report
2 months ago
We have contacted a member of the microweber team and are waiting to hear back 2 months ago
Martian1337 modified the report
a month ago
Martian1337 modified the report
a month ago
Martian1337 modified the report
a month ago
Peter Ivanov modified the Severity from Critical (10) to Low (3.9) a month ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Peter Ivanov validated this vulnerability a month ago
Martian1337 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov marked this as fixed in 1.3.3 with commit 039e33 a month ago
Peter Ivanov has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Peter Ivanov published this vulnerability 18 hours ago
to join this conversation