CVE-2023-50262

Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. php-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images. When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 2.0.4 contains a fix for this issue.

Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. php-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images. When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request. Version 2.0.4 contains a fix for this issue.

### Summary When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the [SVG document does not reference itself](https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153). However, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details php-svg-lib, when run in isolation, does not support SVG references for `image` elements. An SVG document can, however, be referenced and Dompdf will run that reference through the same validation. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion in the validation process by chaining references between two or more SVG images. ### PoC This following sources can be used to bypass validation provided by Dompdf: recurse.html ``` <img src="one.svg"> ``` one.svg ``` <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <image href="two.svg" /> </svg> ``` two.svg ``` <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <image href="one.svg" /> </svg> ``` ### Impact When Dompdf parses the above payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

### Summary When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the [SVG document does not reference itself](https://github.com/dompdf/dompdf/blob/v2.0.3/src/Image/Cache.php#L136-L153). However, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. ### Details php-svg-lib, when run in isolation, does not support SVG references for `image` elements. An SVG document can, however, be referenced and Dompdf will run that reference through the same validation. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion in the validation process by chaining references between two or more SVG images. ### PoC This following sources can be used to bypass validation provided by Dompdf: recurse.html ``` <img src="one.svg"> ``` one.svg ``` <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <image href="two.svg" /> </svg> ``` two.svg ``` <svg width="200" height="200" xmlns="http://www.w3.org/2000/svg"> <image href="one.svg" /> </svg> ``` ### Impact When Dompdf parses the above payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incoming request.

Dompdf es un conversor de HTML a PDF para PHP. Al analizar imágenes SVG, Dompdf realiza una validación inicial para garantizar que las rutas dentro del SVG estén permitidas. Una de las validaciones es que el documento SVG no hace referencia a sí mismo. Sin embargo, antes de la versión 2.0.4, un encadenado recursivo que utiliza dos o más documentos SVG no se valida correctamente. Dependiendo de la configuración del sistema y del patrón de ataque, esto podría agotar la memoria disponible para el proceso en ejecución y/o para el propio servidor. php-svg-lib, cuando se ejecuta de forma aislada, no admite referencias SVG para elementos de "imagen". Sin embargo, cuando se usa en combinación con Dompdf, php-svg-lib procesará imágenes SVG a las que hace referencia un elemento `image`. Dompdf actualmente incluye validación para evitar referencias de "imagen" autorreferenciales, pero no se verifica una referencia encadenada. Por lo tanto, un actor malicioso puede desencadenar una recursividad infinita encadenando referencias entre dos o más imágenes SVG. Cuando Dompdf analiza un payload malicioso, se bloqueará después de exceder el tiempo de ejecución permitido o el uso de memoria. Un atacante que envía varias solicitudes a un sistema puede provocar el agotamiento de los recursos hasta el punto de que el sistema no pueda manejar las solicitudes entrantes. La versión 2.0.4 contiene una solución para este problema.