Remote File Inclusion in Dompdf Versions Prior to 2.0.1
CVE-2022-41343

7.5HIGH

Key Information:

Vendor: DomPDF Project
Status: DomPDF
Vendor: CVE Published:; 25 September 2022

🔔 Create DomPDF Project Vulnerability Alert

Badges

👾 Exploit Exists🟡 Public PoC🟣 EPSS 70%

What is CVE-2022-41343?

The vulnerability in Dompdf is tied to the improper URI validation in the registerFont function within FontMetrics.php. This flaw allows attackers to exploit the font registration mechanism through the use of a @font-face rule, enabling remote file inclusion. By bypassing expected validation checks, malicious users can potentially manipulate the system and gain unauthorized access to sensitive data or execute arbitrary code.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2022-41343
Created by BKreisel

References

https://github.com/dompdf/dompdf/issues/2994

https://github.com/dompdf/dompdf/pull/2995

https://github.com/dompdf/dompdf/releases/tag/v2.0.1

EPSS Score

70% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Feb 15, 2023
👾
Exploit known to exist
Feb 15, 2023
Vulnerability published
Sep 25, 2022
Vulnerability Reserved
Sep 25, 2022