CVE-2021-3902

moderate-risk

Published 2024-11-15

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Do I need to act?

5.1% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Fix available

Upgrade to: 79573d8b8a141ec8a17312515de8740eed014fa9, f56bc8e40be6c0ae0825e6c7396f4db80620b799

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Dompdf

Affected Vendors

Dompdf Project

References (2)

Patch https://github.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799

Exploit https://huntr.com/bounties/a6071c07-806f-429a-8656-a4742e4191b1

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 8/34 · Low

Exposure 5/34 · Minimal