CVE-2014-5012

CVE-2014-5012 is a denial of service vulnerability in the DOMPDF library for PHP, affecting versions prior to 0.6.2. The issue was addressed in the security-focused release 0.6.2, which also fixed other vulnerabilities including remote code execution and information disclosure [3]. The exact root cause is not publicly detailed, but it is classified as a "Denial Of Service Vector" with medium severity [3][4].

The vulnerability can be exploited remotely without authentication, likely by providing specially crafted HTML or CSS content that triggers excessive resource consumption during PDF generation. DOMPDF processes user-supplied input to render PDFs, making it a common target for such attacks. The attack vector is through the library's parsing or rendering logic, which may enter an infinite loop or allocate excessive memory [1][2].

Successful exploitation leads to denial of service, potentially causing the server to become unresponsive or crash. This can disrupt services relying on DOMPDF for PDF generation. The impact is limited to availability, but in shared hosting environments, it could affect other applications.

The vulnerability is fixed in DOMPDF version 0.6.2, released in 2014. Users are strongly advised to upgrade to this version or later. No workarounds are documented, but limiting input size and using resource limits may mitigate the risk. The CVE is not listed on CISA's Known Exploited Vulnerabilities catalog.