CVE-2023-50262

Name of the Vulnerable Software and Affected Versions Dompdf versions prior to 2.0.4

Description The issue arises when Dompdf parses SVG images, as it performs an initial validation to ensure that paths within the SVG are allowed. However, prior to version 2.0.4, a recursive chain using two or more SVG documents is not correctly validated. This could exhaust the memory available to the executing process and/or to the server itself. A malicious actor may trigger infinite recursion by chaining references between two or more SVG images, potentially causing resource exhaustion.

Recommendations For versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider disabling the processing of SVG images referenced by an image element until a patch is available. Restrict access to the php-svg-lib module to minimize the risk of exploitation. Avoid using the image element in SVG images until the issue is resolved.