Server-Side Request Forgery (SSRF) in dompdf/dompdf
Description
Server-Side Request Forgery (SSRF) in GitHub repository dompdf/dompdf prior to 2.0.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Server-Side Request Forgery (SSRF) in dompdf prior to 2.0.0 allows attackers to make requests to internal resources via crafted HTML, leading to information disclosure.
CVE-2022-0085 is a Server-Side Request Forgery (SSRF) vulnerability in dompdf, an HTML to PDF converter for PHP, prior to version 2.0.0. The root cause is that dompdf, when processing HTML, fetches external resources such as stylesheets and images via PHP's fopen-wrappers without adequate validation of the target URLs [1][2]. This allows an attacker to control the destination of these requests.
Exploitation requires the ability to supply HTML content to dompdf, which is common in applications that generate PDFs from user input. An attacker can craft HTML containing references to internal IP addresses (e.g., 127.0.0.1, 10.0.0.1) or cloud metadata endpoints (e.g., http://169.254.169.254/). When dompdf renders the HTML, it makes HTTP requests to those URLs from the server's network context, bypassing any network-level restrictions [2][3].
The impact of successful exploitation includes information disclosure from internal services, such as cloud instance metadata, internal API endpoints, or other sensitive data. The attacker can also use the SSRF to perform port scanning or interact with internal systems that are not intended to be exposed [2][3].
The vulnerability has been addressed in dompdf version 2.0.0. Users are strongly advised to upgrade to this version or later. The fix includes changes to the default HTTP context (see commit bb1ef65) [4]. No workaround is available for earlier versions; upgrading is the recommended mitigation [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | < 2.0.0 | 2.0.0 |
Affected products
2- dompdf/dompdf/dompdfv5Range: unspecified
Patches
12 files changed · +12 −1
src/Options.php+12 −0 modified@@ -298,6 +298,18 @@ public function __construct(array $attributes = null) $this->setFontDir($rootDir . "/lib/fonts"); $this->setFontCache($this->getFontDir()); + $ver = ""; + $versionFile = realpath(__DIR__ . "/../VERSION"); + if (file_exists($versionFile) && ($version = trim(file_get_contents($versionFile))) !== false && $version !== '$Format:<%h>$') { + $ver = "/$version"; + } + $this->setHttpContext([ + "http" => [ + "follow_location" => false, + "user_agent" => "Dompdf$ver https://github.com/dompdf/dompdf" + ] + ]); + if (null !== $attributes) { $this->set($attributes); }
tests/DompdfTest.php+0 −1 modified@@ -21,7 +21,6 @@ public function testConstructor() $this->assertIsArray($dompdf->getCallbacks()); $this->assertInstanceOf(Stylesheet::class, $dompdf->getCss()); $this->assertNull($dompdf->getDom()); - $this->assertNull($dompdf->getHttpContext()); $this->assertInstanceOf(Options::class, $dompdf->getOptions()); $this->assertFalse($dompdf->getQuirksmode()); $this->assertNull($dompdf->getTree());
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-pf6p-25r2-fx45ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-0085ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-0085.yamlghsaWEB
- github.com/dompdf/dompdf/commit/bb1ef65011a14730b7cfbe73506b4bb8a03704bdghsax_refsource_MISCWEB
- huntr.dev/bounties/73dbcc78-5ba9-492f-9133-13bbc9f31236ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.