CVE-2021-3902

Name of the Vulnerable Software and Affected Versions dompdf versions prior to 2.0.0

Description An improper restriction of external entities (XXE) vulnerability in dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue can be exploited even if the isRemoteEnabled option is set to false, allowing attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the SVG parser in dompdf until a patch is available. Restrict access to internal image files to minimize the risk of exploitation. Avoid using the isRemoteEnabled option set to false as it does not prevent the vulnerability from being exploited.