CVE-2021-3902 — Improper Restriction of XML External Entity Reference in dompdf/dompdf

Description

An improper restriction of external entities (XXE) vulnerability in dompdf/dompdf's SVG parser allows for Server-Side Request Forgery (SSRF) and deserialization attacks. This issue affects all versions prior to 2.0.0. The vulnerability can be exploited even if the isRemoteEnabled option is set to false. It allows attackers to perform SSRF, disclose internal image files, and cause PHAR deserialization attacks.

How to fix CVE-2021-3902

To remediate CVE-2021-3902, upgrade the affected package to a fixed version below.

—upgrade to 2.0.2+dfsg-1 or later
—upgrade to 2.0.0 or later

Is CVE-2021-3902 being exploited?

Moderate — EPSS is 5.1%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 2.0.2+dfsg-1
from 0, < 2.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	CRITICAL9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2021-3902
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3902
PATCHgithub.com/dompdf/dompdf
WEBgithub.com/dompdf/dompdf/commit/f56bc8e40be6c0ae0825e6c7396f4db80620b799
WEB