CVE-2021-3838

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2021-3838
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3838.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-3838
Aliases
Downstream
Published
2024-11-15T11:15:05Z
Modified
2025-10-15T13:09:49.086358Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

References

Affected packages

Git / github.com/dompdf/dompdf

Affected ranges

Type
GIT
Repo
https://github.com/dompdf/dompdf
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
99aeec1efec9213e87098d42eb09439e7ee0bb6a

Affected versions

v0.*

v0.6.0
v0.6.0-b3
v0.6.1
v0.6.2
v0.7.0
v0.7.0-beta
v0.7.0-beta2
v0.7.0-beta3
v0.8.0
v0.8.1
v0.8.2
v0.8.3
v0.8.4
v0.8.5
v0.8.6

v1.*

v1.0.0
v1.0.1
v1.0.2
v1.1.0
v1.1.1
v1.2.0
v1.2.1
v1.2.2