Critical severityNVD Advisory· Published Nov 15, 2024· Updated Nov 18, 2024

Improper Restriction of XML External Entity Reference in dompdf/dompdf

CVE-2021-3902

Description

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An XXE vulnerability in dompdf's SVG parser allows SSRF and PHAR deserialization, bypassing remote resource restrictions, affecting versions prior to 2.0.0.

Vulnerability

Overview

The vulnerability is an improper restriction of external entities (XXE) in dompdf's SVG parser. This flaw allows attackers to perform Server-Side Request Forgery (SSRF) and PHAR deserialization attacks even when the isRemoteEnabled option is set to false [1]. The root cause is insufficient validation of external entity references within SVG files, enabling the parser to fetch and process attacker-controlled resources.

Exploitation

An attacker can exploit this by providing a crafted SVG document that includes external entity references. No authentication is required; the attacker only needs to supply the malicious SVG content to a dompdf instance, for example via file upload or direct input. The parser will then resolve these entities, leading to SSRF against internal network resources or triggering PHAR deserialization if the referenced file is a PHAR archive [1][4].

Impact

Successful exploitation allows an attacker to perform SSRF, potentially accessing internal services or files, and to disclose internal image files. More critically, PHAR deserialization can lead to arbitrary code execution on the server, depending on the available gadget chains [1].

Mitigation

The vulnerability is fixed in dompdf version 2.0.0. The fix, visible in commit [3], adds validation of SVG image references to prevent external entity processing. Users are strongly advised to upgrade to the latest version. No workarounds are known for unpatched versions.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dompdf/dompdfPackagist	< 2.0.0	2.0.0

Affected products

ghsa-coords
pkg:composer/dompdf/dompdf
Range: < 2.0.0
dompdf/dompdf/dompdfv5
Range: unspecified

Patches

f56bc8e40be6

Validate SVG image references

https://github.com/dompdf/dompdfBrian SweeneyApr 19, 2022via ghsa

commit

1 file changed · +33 −0

src/Image/Cache.php+33 −0 modified

@@ -129,6 +129,39 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options
             if (($width && $height && in_array($type, ["gif", "png", "jpeg", "bmp", "svg","webp"], true)) === false) {
                 throw new ImageException("Image type unknown", E_WARNING);
             }
+
+            if ($type === "svg") {
+                $parser = xml_parser_create("utf-8");
+                xml_parser_set_option($parser, XML_OPTION_CASE_FOLDING, false);
+                xml_set_element_handler(
+                    $parser,
+                    function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
+                        if ($name === "image") {
+                            $attributes = array_change_key_case($attributes, CASE_LOWER);
+                            $url = $attributes["xlink:href"] ?? $attributes["href"];
+                            if (!empty($url)) {
+                                $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
+                                if ($inner_full_url === $full_url) {
+                                    throw new ImageException("SVG self-reference is not allowed", E_WARNING);
+                                }
+                                [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
+                                if (!empty($message)) {
+                                    throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
+                                }
+                            }
+                        }
+                    },
+                    false
+                );
+        
+                if (($fp = fopen($resolved_url, "r")) !== false) {
+                    while ($line = fread($fp, 8192)) {
+                        xml_parse($parser, $line, false);
+                    }
+                    fclose($fp);
+                }
+                xml_parser_free($parser);
+            }
         } catch (ImageException $e) {
             if ($tempfile) {
                 unlink($tempfile);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-3vjh-xrhf-v9xhghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-3902ghsaADVISORY
github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799ghsaWEB
huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.004
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000