URI validation failure on SVG parsing. Bypass of CVE-2023-23924
Description
Dompdf is an HTML to PDF converter written in php. Due to the difference in the attribute parser of Dompdf and php-svg-lib, an attacker can still call arbitrary URLs with arbitrary protocols. Dompdf parses the href attribute of image tags and respects xlink:href even if href is specified. However, php-svg-lib, which is later used to parse the svg file, parses the href attribute. Since href is respected if both xlink:href and href is specified, it's possible to bypass the protection on the Dompdf side by providing an empty xlink:href attribute. An attacker can exploit the vulnerability to call arbitrary URLs with arbitrary protocols if they provide an SVG file to the Dompdf. In PHP versions before 8.0.0, it leads to arbitrary unserialize, which will lead, at the very least, to arbitrary file deletion and might lead to remote code execution, depending on available classes. This vulnerability has been addressed in commit 95009ea98 which has been included in release version 2.0.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Dompdf SVG parsing bypass allows arbitrary URL calls due to differing href/xlink:href attribute handling between Dompdf and php-svg-lib.
Vulnerability
Overview
CVE-2023-24813 is a security bypass of a previous fix (CVE-2023-23924) in dompdf, an HTML-to-PDF converter for PHP. The root cause is a discrepancy between how dompdf and the underlying php-svg-lib library parse href and xlink:href attributes on SVG ` elements. Dompdf's older validation logic only checked xlink:href if href was also present, using $url = $attributes["xlink:href"] ?? $attributes["href"];. However, php-svg-lib respects href over xlink:href, so an attacker can supply an empty xlink:href attribute along with a malicious href value. This causes dompdf's guard to treat the URL as empty and skip validation, while php-svg-lib uses the attacker-controlled href`, allowing arbitrary URL calls [1][3].
Exploitation
Prerequisites
An attacker must provide a crafted SVG file to an application that uses dompdf to render user-supplied HTML or SVG content into PDFs. No authentication is explicitly required in the advisory; the attack surface is any endpoint that processes untrusted SVG input. The vulnerability can be triggered without prior authentication if the application allows direct SVG upload or inclusion [1][3].
Impact
Successful exploitation permits the attacker to call arbitrary URLs with arbitrary protocols from the server, including file://, phar://, or http:// schemes. On PHP versions before 8.0.0, this can lead to arbitrary PHP object unserialization, which may result in at least arbitrary file deletion and potentially remote code execution depending on available classes in the application's include path [1][3].
Mitigation
The fix is included in dompdf release 2.0.3, specifically in commit 95009ea98. The patch changes the attribute parsing to validate both xlink:href and href attributes independently, preventing the bypass. Users must upgrade to version 2.0.3 or later. No workarounds are known [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dompdf/dompdfPackagist | >= 2.0.2, < 2.0.3 | 2.0.3 |
Affected products
2- dompdf/dompdfv5Range: = 2.0.2
Patches
195009ea98230Validate both bare and namespaced SVG image HREF attributes
1 file changed · +14 −9
src/Image/Cache.php+14 −9 modified@@ -135,15 +135,19 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { if (strtolower($name) === "image") { $attributes = array_change_key_case($attributes, CASE_LOWER); - $url = $attributes["xlink:href"] ?? $attributes["href"]; - if (!empty($url)) { - $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); - if ($inner_full_url === $full_url) { - throw new ImageException("SVG self-reference is not allowed", E_WARNING); - } - [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); - if (!empty($message)) { - throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); + $urls = []; + $urls[] = $attributes["xlink:href"] ?? ""; + $urls[] = $attributes["href"] ?? ""; + foreach ($urls as $url) { + if (!empty($url)) { + $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url); + if ($inner_full_url === $full_url) { + throw new ImageException("SVG self-reference is not allowed", E_WARNING); + } + [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options); + if (!empty($message)) { + throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING); + } } } } @@ -156,6 +160,7 @@ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) { xml_parse($parser, $line, false); } fclose($fp); + xml_parse($parser, "", true); } xml_parser_free($parser); }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-56gj-mvh6-rp75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-24813ghsaADVISORY
- github.com/dompdf/dompdf/commit/95009ea98230f9b084b040c34e3869ef3dccc9aaghsax_refsource_MISCWEB
- github.com/dompdf/dompdf/security/advisories/GHSA-56gj-mvh6-rp75ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.