CVE-2022-41343
Description
registerFont in FontMetrics.php in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a @font-face rule.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dompdf before 2.0.1 allows remote file inclusion via font URI validation failure, leading to RCE when combined with Phar deserialization.
The vulnerability resides in the registerFont function of FontMetrics.php in Dompdf versions before 2.0.1. When processing a @font-face CSS rule, the code fails to halt font registration even if the font URI fails validation, allowing an attacker to specify a remote file path that can be included and processed. [1]
Exploitation requires an application using Dompdf to render user-supplied HTML containing a @font-face rule with a malicious font URL. The attacker can leverage PHP's phar:// wrapper to trigger deserialization of a crafted Phar file, provided the application runs on PHP <= 7.x and a suitable deserialization gadget is available. [1] The vulnerability builds on incomplete fixes for prior CVEs (CVE-2022-28368 and CVE-2021-3838). [1]
Successful exploitation leads to remote code execution (RCE) under the conditions mentioned. [1] The attacker gains the ability to execute arbitrary PHP code on the server, potentially compromising the entire application and its data.
The vulnerability was patched in Dompdf version 2.0.1. [2] Users should update immediately. For cases where backporting is not possible, users may need to apply manual validation or restrict access. [4] The fix ensures that font registration is halted upon URI validation failure. [4]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | < 2.0.1 | 2.0.1 |
Affected products
2- Dompdf/Dompdfdescription
Patches
166431c58017dHalt font registration when URL fails validation
1 file changed · +2 −0
src/FontMetrics.php+2 −0 modified@@ -213,12 +213,14 @@ public function registerFont($style, $remoteFile, $context = null) $allowed_protocols = $this->options->getAllowedProtocols(); if (!array_key_exists($protocol, $allowed_protocols)) { Helpers::record_warnings(E_USER_WARNING, "Permission denied on $remoteFile. The communication protocol is not supported.", __FILE__, __LINE__); + return false; } foreach ($allowed_protocols[$protocol]["rules"] as $rule) { [$result, $message] = $rule($remoteFile); if ($result !== true) { Helpers::record_warnings(E_USER_WARNING, "Error loading $remoteFile: $message", __FILE__, __LINE__); + return false; } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- github.com/advisories/GHSA-6x28-7h8c-chx4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41343ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2022-41343.yamlghsaWEB
- github.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2ghsaWEB
- github.com/dompdf/dompdf/issues/2994ghsaWEB
- github.com/dompdf/dompdf/pull/2995ghsaWEB
- github.com/dompdf/dompdf/releases/tag/v2.0.1ghsaWEB
- tantosec.com/blog/cve-2022-41343ghsaWEB
- tantosec.com/blog/cve-2022-41343/mitre
News mentions
0No linked articles in our index yet.