-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| dompdf/dompdf | composer | < 2.0.0 | 2.0.0 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from dompdf's HTTP request handling when fetching external resources. The patch adds a default HTTP context in Options.php's constructor, specifically disabling redirect following (follow_location=false) and setting a user agent. Prior to this fix, the absence of these restrictions meant dompdf would follow redirects automatically when making requests, enabling SSRF attacks. The constructor's failure to set these secure defaults directly enabled the vulnerable behavior. The test file change (removing assertNull for getHttpContext()) further confirms the context is now properly initialized during object construction.