CVE-2014-5011
Description
DOMPDF before 0.6.2 allows Information Disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
DOMPDF before 0.6.2 is vulnerable to an information disclosure vulnerability, potentially exposing sensitive data.
CVE-2014-5011 is an information disclosure vulnerability in DOMPDF versions prior to 0.6.2. The exact nature of the vulnerability is not detailed in the public description, but it is classified as an information disclosure issue [2][3].
Exploitation likely involves crafting a malicious PDF or HTML input that triggers the disclosure. No authentication is required if the application allows unauthenticated PDF generation. The attack vector is network-based.
Successful exploitation could allow an attacker to read sensitive information from the server, such as configuration files, source code, or other data accessible to the web server.
The vulnerability is fixed in DOMPDF version 0.6.2 [1][3]. Users are advised to upgrade to this version or later. No workarounds are documented.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | >= 0.6, < 0.6.2 | 0.6.2 |
Affected products
2- DOMPDF/DOMPDFdescription
Patches
1cc06008f7526Restrict access to sensitive www content to authenticated users
3 files changed · +18 −3
www/debugger.php+3 −1 modified@@ -1,6 +1,8 @@ <?php +require_once "functions.inc.php"; + $allowed_hosts = array("::1", "127.0.0.1"); -if( !in_array($_SERVER['REMOTE_ADDR'], $allowed_hosts) ) { +if( !auth_ok() || !in_array($_SERVER['REMOTE_ADDR'], $allowed_hosts) ) { die("Access denied to host at " . $_SERVER['REMOTE_ADDR']); }
www/demo.php+4 −2 modified@@ -6,7 +6,7 @@ $local = array("::1", "127.0.0.1"); $is_local = in_array($_SERVER['REMOTE_ADDR'], $local); -if ( isset( $_POST["html"] ) && $is_local ) { +if ( auth_ok() && $is_local && isset( $_POST["html"] ) ) { if ( get_magic_quotes_gpc() ) $_POST["html"] = stripslashes($_POST["html"]); @@ -27,7 +27,7 @@ <a name="demo"> </a> <h2>Demo</h2> -<?php if ($is_local) { ?> +<?php if (auth_ok() && $is_local) { ?> <p>Enter your html snippet in the text box below to see it rendered as a PDF: (Note by default, remote stylesheets, images & inline PHP are disabled.)</p> @@ -79,6 +79,8 @@ User input has been disabled for remote connections. </p> + <?php echo auth_get_link(); ?> + <?php } ?> <?php include("foot.inc"); ?> \ No newline at end of file
www/setup.php+11 −0 modified@@ -1,5 +1,9 @@ <?php include("head.inc"); ?> +<?php +if (auth_ok()) { +?> + <a name="setup"> </a> <h2>Setup</h2> @@ -296,5 +300,12 @@ </table> +<?php +} else { + echo auth_get_link(); +} +?> + + <?php include("foot.inc"); ?> \ No newline at end of file
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-jwf8-mjj8-r8hqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-5011ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2014-5011.yamlghsaWEB
- github.com/dompdf/dompdf/commit/cc06008f75262510ee135b8cbb14e333a309f651ghsaWEB
- github.com/dompdf/dompdf/compare/v0.6.1...v0.6.2ghsax_refsource_MISCWEB
- github.com/dompdf/dompdf/releases/tag/v0.6.2ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.