VYPR
← All advisories
Moderate severityNVD Advisory· Published Dec 13, 2023· Updated Aug 2, 2024

Dompdf possible DoS caused by infinite recursion when parsing SVG images

CVE-2023-50262

Description

Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself.

php-svg-lib, when run in isolation, does not support SVG references for image elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an image element. Dompdf currently includes validation to prevent self-referential image references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images.

When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

Version 2.0.4 contains a fix for this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Dompdf <=2.0.3 fails to detect chained SVG image references, allowing infinite recursion leading to denial of service via resource exhaustion.

Vulnerability

Overview CVE-2023-50262 affects Dompdf, an HTML-to-PDF converter for PHP. The software includes validation to prevent SVG documents from referencing themselves via `` elements. However, prior to version 2.0.4, it fails to detect recursive chains using two or more SVG documents, allowing infinite recursion [1].

Exploitation

An attacker can craft a malicious HTML document containing chained SVG images that reference each other in a loop. When Dompdf parses the document, it processes each SVG and follows the references indefinitely, consuming excessive CPU time and memory [2]. No authentication is needed; exploitation can be achieved by tricking a user into converting a crafted HTML file.

Impact

This recursive behavior leads to denial of service by exhausting system resources. Sending multiple such requests can render the server unable to handle legitimate traffic [1]. The vulnerability is remotely exploitable and has a CVSS v3.1 base score of 7.5.

Mitigation

The issue is fixed in Dompdf version 2.0.4, which introduces detection of circular references across SVG documents [3]. The vulnerable code resided in src/Image/Cache.php at versions before 2.0.4 [4]. Users should upgrade immediately.

References
  1. NVD - CVE-2023-50262
  2. GitHub - dompdf/dompdf: HTML to PDF converter for PHP
  3. Improve SVG file reference recursion validation · dompdf/dompdf@41cbac1
  4. dompdf/src/Image/Cache.php at v2.0.3 · dompdf/dompdf

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
dompdf/dompdfPackagist
< 2.0.42.0.4

Affected products

2

Patches

1
41cbac16f3cf

Improve SVG file reference recursion validation

https://github.com/dompdf/dompdfBrian SweeneyDec 4, 2023via ghsa
commit
1 file changed · +39 9
  • src/Image/Cache.php+39 9 modified
    @@ -31,6 +31,14 @@ class Cache
      */
     protected static $tempImages = [];
 
+    /**
+     * Array of image references from an SVG document.
+     * Used to detect circular references across SVG documents.
+     *
+     * @var array
+     */
+    protected static $svgRefs = [];
+
     /**
      * The url to the "broken image" used when images can't be loaded
      *
@@ -134,20 +142,28 @@ static function resolve_url($url, $protocol, $host, $base_path, Options $options
                     $parser,
                     function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
                         if (strtolower($name) === "image") {
+                            if (!\array_key_exists($full_url, self::$svgRefs)) {
+                                self::$svgRefs[$full_url] = [];
+                            }
                             $attributes = array_change_key_case($attributes, CASE_LOWER);
                             $urls = [];
                             $urls[] = $attributes["xlink:href"] ?? "";
                             $urls[] = $attributes["href"] ?? "";
                             foreach ($urls as $url) {
-                                if (!empty($url)) {
-                                    $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
-                                    if ($inner_full_url === $full_url) {
-                                        throw new ImageException("SVG self-reference is not allowed", E_WARNING);
-                                    }
-                                    [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
-                                    if (!empty($message)) {
-                                        throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
-                                    }
+                                if (empty($url)) {
+                                    continue;
+                                }
+
+                                $inner_full_url = Helpers::build_url($parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $url);
+                                if (empty($inner_full_url)) {
+                                    continue;
+                                }
+                                
+                                self::detectCircularRef($full_url, $inner_full_url);
+                                self::$svgRefs[$full_url][] = $inner_full_url;
+                                [$resolved_url, $type, $message] = self::resolve_url($url, $parsed_url["protocol"], $parsed_url["host"], $parsed_url["path"], $options);
+                                if (!empty($message)) {
+                                    throw new ImageException("This SVG document references a restricted resource. $message", E_WARNING);
                                 }
                             }
                         }
@@ -178,6 +194,19 @@ function ($parser, $name, $attributes) use ($options, $parsed_url, $full_url) {
         return [$resolved_url, $type, $message];
     }
 
+    static function detectCircularRef(string $src, string $target)
+    {
+        if (!\array_key_exists($target, self::$svgRefs)) {
+            return;
+        }
+        foreach (self::$svgRefs[$target] as $ref) {
+            if ($ref === $src) {
+                throw new ImageException("Circular external SVG image reference detected.", E_WARNING);
+            }
+            self::detectCircularRef($src, $ref);
+        }
+    }
+
     /**
      * Register a temp file for the given original image file.
      *
@@ -239,6 +268,7 @@ static function clear(bool $debugPng = false)
 
         self::$_cache = [];
         self::$tempImages = [];
+        self::$svgRefs = [];
     }
 
     static function detect_type($file, $context = null)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.