9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3838

GHSA ID

GHSA-577p-7j7h-2jgf

EPSS Score

0.89473%

CWE

CWE-502

Published

11/15/2024

Updated

11/18/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-3838

CVE-2021-3838: Deserialization of Untrusted Data in dompdf/dompdf

DomPDF before version 2.0.0 is vulnerable to PHAR (PHP Archive) deserialization due to a lack of checking on the protocol before passing it into the file_get_contents() function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and instantiate arbitrary PHP objects. This can lead to remote code execution, especially when DOMPdf is used with frameworks with documented POP chains like Laravel or vulnerable developer code.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-3838

GHSA ID

GHSA-577p-7j7h-2jgf

EPSS Score

0.89473%

CWE

CWE-502

Published

11/15/2024

Updated

11/18/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
dompdf/dompdf	composer	< 2.0.0	2.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper protocol validation before passing user-controlled URIs to file_get_contents. Key functions identified:

Stylesheet::load_css_file handled CSS @imports/resource loading with direct file_get_contents usage
Dompdf::loadHtmlFile processed base document loading with similar pattern
Helpers::getFileContent was the common file retrieval method used by both All three functions lacked proper protocol validation (phar:// filtering) in vulnerable versions, as shown by:

Removal of hardcoded protocol lists in Dompdf.php
Introduction of Options-based protocol validation in the patch
Modified URI building logic in Helpers.php to prevent phar:// exploitation These functions directly interact with user-controlled URI inputs and PHP's file operations, making them critical points for deserialization attacks.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*omP** ***or* v*rsion *.*.* is vuln*r**l* to P**R (P*P *r**iv*) **s*ri*liz*tion *u* to * l**k o* ****kin* on t** proto*ol ***or* p*ssin* it into t** *il*_**t_*ont*nts() *un*tion. *n *tt**k*r w*o **n uplo** *il*s o* *ny typ* to t** s*rv*r **n p*ss in

Reasoning

T** vuln*r**ility st*ms *rom improp*r proto*ol v*li**tion ***or* p*ssin* us*r-*ontroll** URIs to *il*_**t_*ont*nts. K*y *un*tions i**nti*i**: *. Styl*s***t::lo**_*ss_*il* **n*l** *SS @imports/r*sour** lo**in* wit* *ir**t *il*_**t_*ont*nts us*** *. *o

9.8

Basic Information

Concerned about an active attack path?

CVE-2021-3838: Deserialization of Untrusted Data in dompdf/dompdf

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI