VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 28, 2014· Updated May 6, 2026

CVE-2014-2383

CVE-2014-2383

Description

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dompdf/dompdfPackagist
>= 0.6.0, < 0.6.10.6.1

Affected products

1
  • Dompdf/Dompdf
    cpe:2.3:a:dompdf:dompdf:*:beta3:*:*:*:*:*:*
    Range: <=0.6.0

Patches

1
23a693993299

Remove pre-processing of PHP code, disallow I/O streams as file input

https://github.com/dompdf/dompdfbsweeneyMar 11, 2014via ghsa
commit
2 files changed · +4 7
  • dompdf.php+4 0 modified
    @@ -227,6 +227,10 @@ function getoptions() {
     }
   }
   
+  if($file_parts['protocol'] === 'php://') {
+    throw new DOMPDF_Exception("Permission denied on $file. This script does not allow PHP streams.");
+  }
+  
   $outfile = "dompdf_out.pdf"; # Don't allow them to set the output file
   $save_file = false; # Don't save the file
  • include/dompdf.cls.php+0 7 modified
    @@ -580,13 +580,6 @@ function load_html($str, $encoding = null) {
       $str = substr($str, 3);
     }
 
-    // Parse embedded php, first-pass
-    if ( $this->get_option("enable_php") ) {
-      ob_start();
-      eval("?" . ">$str");
-      $str = ob_get_clean();
-    }
-
     // if the document contains non utf-8 with a utf-8 meta tag chars and was 
     // detected as utf-8 by mbstring, problems could happen.
     // http://devzone.zend.com/article/8855

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

9

News mentions

0

No linked articles in our index yet.