CVE-2019-1000005: mPDF Unsafe Deserialization
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.60178%
CWE
Published
5/14/2022
Updated
9/28/2023
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
mpdf/mpdf | composer | <= 7.1.7 | 7.1.8 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly identifies getImage()
in ImageProcessor
as the entry point. The GitHub issue #949 confirms the vulnerable pattern: passing user-controlled src attributes to fopen()
(L215 in ImageProcessor.php
). PHAR deserialization occurs automatically when accessing files via phar://
wrapper, making this a direct vector for CWE-502. The attack vector requires exactly this function to process
malicious img tags, and the patch likely adds protocol validation before file operations.