CVE-2014-5013

DOMPDF version 0.6.1 and earlier are affected by a remote code execution vulnerability, designated CVE-2014-5013. This is a complement to CVE-2014-2383, which originally addressed arbitrary file read via PHP stream filters [2][3]. The root cause lies in unsanitized processing of PHP code within user-supplied CSS or HTML, allowing an attacker to inject arbitrary PHP scripts that are executed during PDF generation.

Exploitation requires that DOMPDF is configured to allow PHP execution, typically by setting the DOMPDF_ENABLE_PHP option to true. Under such configurations, an attacker can craft a malicious HTML document containing PHP code in style directives or other embedded content. When the victim's application generates a PDF from this input, the injected PHP code is executed on the server [3][4]. The vulnerability is rated with variable severity: low by default, but critical when PHP execution is enabled [3].

Successful exploitation leads to full remote code execution with the privileges of the web server user. An attacker can perform arbitrary actions, including file manipulation, data exfiltration, or lateral movement within the network [2][4].

The vulnerability is patched in DOMPDF version 0.6.2 [1][3]. All users are strongly advised to upgrade immediately. Additionally, administrators should review the security recommendations provided in the DOMPDF wiki to minimize attack surface, such as disabling PHP execution unless absolutely necessary [3].