CVE-2021-3902

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-3902

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-3902.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2021-3902

Aliases

GHSA-3vjh-xrhf-v9xh

Published

2024-11-15T11:15:06Z

Modified

2025-07-01T12:43:55.609798Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

References

Affected packages

Debian:12 / php-dompdf

Package

Name: php-dompdf
Purl: pkg:deb/debian/php-dompdf?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.2+dfsg-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/dompdf/dompdf

Affected ranges

Type: GIT
Repo: https://github.com/dompdf/dompdf
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

f56bc8e40be6c0ae0825e6c7396f4db80620b799

Affected versions

v0.*

v0.6.0

v0.6.0-b3

v0.6.1

v0.6.2

v0.7.0

v0.7.0-beta

v0.7.0-beta2

v0.7.0-beta3

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.8.4

v0.8.5

v0.8.6

v1.*

v1.0.0

v1.0.1

v1.0.2

v1.1.0

v1.1.1

v1.2.0

v1.2.1

v1.2.2