Exploiting RCE Vulnerability in Dompdf

January 21, 2023

If you use Dompdf for your document sharing needs, you may want to take some preventative measures against exploiting RCE vulnerability in dompdf. A security researcher, Chris Jones, has recently discovered that Dompdf is vulnerable to a Remote Code Execution (RCE) attack. This exploit uses a DOM API to launch malicious code. You can read his article for more information about the vulnerability and its mitigations.

Remote code execution

Dompdf is a popular PHP library that renders PDFs from HTML documents. However, a security vulnerability has been discovered in this library, and could allow an attacker to gain remote code execution.

The vulnerability is triggered when an attacker uploads a malicious font to a web server. It can then be used to inject HTML into a website, and render the page as a PDF. The attacker can then exploit the vulnerability to execute PHP code from the font file.

There are several ways to protect against the dompdf vulnerability. One way is to sanitize inputs before they are sent to the backend. A second option is to update software.

Another way to mitigate the impact of this vulnerability is to use a buffer overflow protection. This will limit the risk of an attacker exploiting this issue. In addition, the principle of least privilege will help to mitigate the negative effects of an RCE attack.

Cross-site scripting (XSS) issue

There is an unpatched cross-site scripting (XSS) issue in Dompdf, a PHP library that is used for generating PDFs. This attack can allow an attacker to gain access to sensitive data and manipulate user interactions.

XSS works by injecting malicious code into web pages. The attacker then uses social engineering techniques to lure users to the website where they can then inadvertently execute the malicious script.

This type of attack allows the attacker to take over the website, allowing him to steal any user information. He can also manipulate the website, defacing it and stealing any data.

An XSS attack on an e-commerce website can have a damaging impact on the company’s reputation. A malicious script in a website can allow the attacker to capture usernames and passwords, download unauthorized files, and create havoc on social networks.

An attacker can exploit this vulnerability by uploading a file with.php extensions into a web directory. This will enable the uploaded file to be read and executed in the browser, potentially allowing the attack to be carried out remotely.

Mitigation measures

Positive Security has discovered a new remote code execution (RCE) vulnerability in Dompdf, an HTML to PDF converter. This vulnerability is a risk to websites that require the server-side generation of PDFs. If exploited successfully, the attacker could perform multiple functions, including reading any file on the device’s file system and executing arbitrary code.

The dompdf project’s maintainer has not yet addressed the vulnerability. However, users can take several mitigation measures to protect themselves against it. The first step is to make sure that the software is not installed in a web-accessible directory.

Another step is to turn off the DOMPDF_ENABLE_REMOTE setting. This setting can be used to remotely control the server and run a shell script.

Similarly, users should ensure that the font they upload with the DOMPDF_ENABLE_PHP setting is not a malicious one. This allows attackers to inject HTML or CSS into a web page before rendering it as a PDF.

CVE-2022-28368 mapping

DOMpdf, a library used for rendering PDF files in PHP, is vulnerable to an unpatched security vulnerability. A remote attacker can gain control of a system and potentially execute code on it by exploiting a mapping in the Dompdf library.

Dompdf is a popular library in PHP that generates PDF files. The library is widely used and is deployed on over 59,000 open-sourced platforms. The vulnerability has been disclosed to the public, but the developers have not provided a timeline for a fix.

The flaw involves a mapping in the Dompdf library that references font family and location. When an authenticated remote user uses the server’s @font-face CSS statement, code from the library could be remotely executed during PDF generation.

The flaw affects versions 1.2.0 and prior. To exploit the vulnerability, an attacker must first create a valid font with the.php extension. Once the font is available, the dompdf library can add it to the server. The library then loads the font into the external style sheet through HTML.

Ammar Fakhruddin


Ammar brings in 18 years of experience in strategic solutions and product development in Public Sector, Oil & Gas and Healthcare organizations. He loves solving complex real world business and data problems by bringing in leading-edge solutions that are cost effective, improve customer and employee experience. At Propelex he focuses on helping businesses achieve digital excellence using Smart Data & Cybersecurity solutions.

Security Practitioners Should Understand Their Business

Security Practitioners Should Understand Their Business

Discover why security practitioners should understand their business context for more effective cybersecurity strategies. With devastating data breaches and ransomware attacks dominating headlines and putting people’s lives at risk, cybersecurity has been elevated to...

Shadow Data is A Growing Risk

Shadow Data is A Growing Risk

Shadow data: A growing risk to your organization's security. Learn how to tackle and mitigate this growing threat. Businesses are embracing the cloud for multiple reasons, including cost savings and business acceleration. But these gains are accompanied by growing...

Delinea Adds New Features

Delinea Adds New Features

Delinea adds new features for its privilege manager and devops secrets vault that reduce friction on workstations and help balance security and velocity. This includes enhanced privilege elevation workflows and improvements to our native MacOS agent for the latest...

Recent Case Studies

Press Releases

News & Events


Managed Security Services
Security & Privacy Risk Assessment
Cloud Platform Security
Incident Response & Business Continuity

Penetration Testing

Virtual CISO

Email Security & Phishing



About Us