Miggo Logo
Miggo Vulnerability Database
CVE-2019-1000005

CVE-2019-1000005:
mPDF Unsafe Deserialization

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1000005
GHSA ID
GHSA-3cwc-m7c2-qr86
EPSS Score
0.60178%
CWE
CWE-502
Published
5/14/2022
Updated
9/28/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mpdf/mpdfcomposer<= 7.1.77.1.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability description explicitly identifies getImage() in ImageProcessor as the entry point. The GitHub issue #949 confirms the vulnerable pattern: passing user-controlled src attributes to fopen() (L215 in ImageProcessor.php). PHAR deserialization occurs automatically when accessing files via phar:// wrapper, making this a direct vector for CWE-502. The attack vector requires exactly this function to process malicious img tags, and the patch likely adds protocol validation before file operations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mP** v*rsion *.*.* *n* **rli*r *ont*ins * *W*-***: **s*ri*liz*tion o* Untrust** **t* vuln*r**ility in **tIm***() m*t*o* o* Im***/Im***Pro**ssor *l*ss t**t **n r*sult in *r*itry *o** *x**ution, *il* writ*, *t*.. T*is *tt**k *pp**rs to ** *xploit**l* v

Reasoning

T** vuln*r**ility **s*ription *xpli*itly i**nti*i*s `**tIm***()` in `Im***Pro**ssor` *s t** *ntry point. T** *it*u* issu* #*** *on*irms t** vuln*r**l* p*tt*rn: p*ssin* us*r-*ontroll** sr* *ttri*ut*s to `*op*n()` (L*** in `Im***Pro**ssor.p*p`). P**R *