Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Affecting dompdf/dompdf package, versions <2.0.2
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PHP-DOMPDFDOMPDF-3261241
- published1 Feb 2023
- disclosed1 Feb 2023
- creditBlaklis
Introduced: 1 Feb 2023
CVE-2023-23924 (opens in a new tab)How to fix?
Upgrade dompdf/dompdf to version 2.0.2 or higher.
Overview
Affected versions of this package are vulnerable to Incorrect Behavior Order: Authorization Before Parsing and Canonicalization due to URI validation failure when parsing SVG. The URI validation can be bypassed on SVG parsing by passing <image> tags with uppercase letters.
Vulnerable Behaviour
if ($type === "svg") {
$parser = xml_parser_create("utf-8");
xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
xml_set_element_handler(
$parser,
function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
if ($name === "image") {
$attributes = array_change_key_case($attributes, CASE_LOWER);
This part will try to detect <image> tags in SVG, and will take the href to validate it against the protocolAllowed whitelist. However, the $name comparison with image is case sensitive, which means that such a tag in the SVG will pass :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>
As the tag is named Image and not image, it will not pass the condition to trigger the check.
A correct solution would be to strtolower the $name before the check :
if (strtolower($name) === "image") {
PoC
Parsing the following SVG file is sufficient to reproduce the vulnerability :
<svg>
<Image xlink:href="phar:///foo"></Image>
</svg>