6.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.3%
php-svg-lib fails to validate that font-family doesn’t contain a PHAR url, which might leads to RCE on PHP < 8.0, and doesn’t validate if external references are allowed. This might leads to bypass of restrictions or RCE on projects that are using it, if they do not strictly revalidate the fontName that is passed by php-svg-lib.
The Style::fromAttributes(), or the Style::parseCssStyle() should check the content of the font-family
and prevents it to use a PHAR url, to avoid passing an invalid and dangerous fontName
value to other libraries. The same check as done in the Style::fromStyleSheets might be reused :
if (
\array_key_exists("font-family", $styles)
&& (
\strtolower(\substr($this->href, 0, 7)) === "phar://"
|| ($this->document->allowExternalReferences === false && \strtolower(\substr($this->href, 0, 5)) !== "data:")
)
) {
unset($style["font-family"]);
}
Parsing the following SVG :
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200">
<text x="20" y="35" style="color:red;font-family:phar:///path/to/whatever.phar/blaklis;">My</text>
</svg>
will pass the phar:///path/to/whatever.phar/blaklis
as $family
in SurfaceCpdf::setFont
, which is then passed to the canvas selectFont
as a $fontName
.
Libraries using this library as a dependency might be vulnerable to some bypass of restrictions, or even RCE, if they do not double check the value of the fontName
that is passed by php-svg-lib
CPE | Name | Operator | Version |
---|---|---|---|
phenx/php-svg-lib | lt | 0.5.2 |
github.com/advisories/GHSA-f3qr-qr4x-j273
github.com/dompdf/php-svg-lib/commit/732faa9fb4309221e2bd9b2fda5de44f947133aa
github.com/dompdf/php-svg-lib/commit/8ffcc41bbde39f09f94b9760768086f12bbdce42
github.com/dompdf/php-svg-lib/security/advisories/GHSA-f3qr-qr4x-j273
nvd.nist.gov/vuln/detail/CVE-2024-25117
6.8 Medium
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
6.8 Medium
AI Score
Confidence
Low
0.0004 Low
EPSS
Percentile
15.3%