Miggo Logo
Miggo Vulnerability Database
CVE-2022-28368

CVE-2022-28368:
Remote code injection in dompdf/dompdf

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-28368
GHSA ID
GHSA-x752-qjv4-c4hc
EPSS Score
0.98045%
CWE
CWE-79
Published
4/4/2022
Updated
2/6/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dompdf/dompdfcomposer< 1.2.11.2.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how dompdf processed font URLs in CSS @font-face declarations. The pre-patch code in registerFont() used the remote file's extension (via pathinfo(parse_url($remoteFile, PHP_URL_PATH), PATHINFO_EXTENSION)) to construct the local filename. This allowed attackers to specify a .php URL, which dompdf would then save as a .php file in its writable font directory. The commit 4c70e10 fixed this by hardcoding .ttf extensions for TrueType fonts instead of trusting the remote filename. The function's direct involvement in handling external font resources and the security-focused commit modifying its behavior confirm its role in the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*omp** is *n *TML to P** *onv*rt*r. *omp** ***or* *.*.* *llows r*mot* *o** *x**ution vi* * .p*p *il* in t** sr*:url *i*l* o* *n @*ont-**** **s***in* Styl* S***ts (*SS) st*t*m*nt (wit*in *n *TML input *il*).

Reasoning

T** vuln*r**ility st*mm** *rom *ow *omp** pro**ss** *ont URLs in *SS @*ont-**** ***l*r*tions. T** pr*-p*t** *o** in r**ist*r*ont() us** t** r*mot* *il*'s *xt*nsion (vi* p*t*in*o(p*rs*_url($r*mot**il*, P*P_URL_P*T*), P*T*IN*O_*XT*NSION)) to *onstru*t