URI validation failure on SVG parsing in Dompdf
Description
Dompdf is an HTML to PDF converter. The URI validation on dompdf 2.0.1 can be bypassed on SVG parsing by passing ` tags with uppercase letters. This may lead to arbitrary object unserialize on PHP < 8, through the phar` URL wrapper. An attacker can exploit the vulnerability to call arbitrary URL with arbitrary protocols, if they can provide a SVG file to dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, that will lead to the very least to an arbitrary file deletion and even remote code execution, depending on classes that are available.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dompdf 2.0.1 SVG parsing case-sensitivity flaw allows phar:// deserialization on PHP <8, leading to RCE.
Root
Cause
The vulnerability resides in the SVG ` tag handling within dompdf's src/Image/Cache.php. The element name check $name === "image" is case-sensitive [4]. An attacker can bypass URI validation by using uppercase letters in the tag (e.g., `), which then passes through without undergoing the protocol whitelist check [1][4].
Exploitation
An attacker who can supply a malicious SVG file to dompdf can embed an ` tag with an href attribute using the phar:// wrapper [1]. For example: [4]. This bypasses the intended restriction and triggers the phar` URL wrapper, which on PHP versions before 8.0.0 leads to arbitrary object deserialization [1][4].
Impact
Successful exploitation allows the attacker to call arbitrary URLs with arbitrary protocols via the SVG parser [1]. On PHP < 8.0.0, the deserialization can result in arbitrary file deletion, and if suitable gadget chains are available, remote code execution [1][4]. The CVSS score (not specified in sources) is considered high, given the potential for complete compromise.
Mitigation
The issue was fixed in dompdf version 2.0.2 [4]. Users should upgrade immediately. For those unable to upgrade, ensuring PHP 8.0 or later is used mitigates the deserialization risk, though arbitrary URL calls remain possible [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | < 2.0.2 | 2.0.2 |
Affected products
2- dompdf/dompdfv5Range: < 2.0.2
Patches
17558f07f693bSVG parsing - comparing the tag name in a case insensitive way
1 file changed · +1 −1
src/Image/Cache.php+1 −1 modified@@ -133,7 +133,7 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options xml_set_element_handler( $parser, function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { - if ($name === "image") { + if (strtolower($name) === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); $url = $attributes["xlink:href"] ?? $attributes["href"]; if (!empty($url)) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-3cw5-7cxw-v5qgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-23924ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/dompdf/dompdf/CVE-2023-23924.yamlghsaWEB
- github.com/dompdf/dompdf/commit/7558f07f693b2ac3266089f21051e6b78c6a0c85ghsax_refsource_MISCWEB
- github.com/dompdf/dompdf/releases/tag/v2.0.2ghsax_refsource_MISCWEB
- github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qgghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.