Loading HuntDB...

GHSA-3cwc-m7c2-qr86

GitHub Security Advisory

mPDF Unsafe Deserialization

✓ GitHub Reviewed HIGH Has CVE

Advisory Details

mPDF version 7.1.7 and earlier contains a CWE-502: Deserialization of Untrusted Data vulnerability in getImage() method of Image/ImageProcessor class that can result in Arbitry code execution, file write, etc.. This attack appears to be exploitable via attacker must host crafted image on victim server and trigger generation of pdf file with content `<img src="phar://path/to/crafted/image">`. This vulnerability appears to have been fixed in 7.1.8.

Affected Packages

Packagist mpdf/mpdf
Affected versions: 0 (fixed in 7.1.8)

Related CVEs

Key Information

GHSA ID
GHSA-3cwc-m7c2-qr86
Published
May 14, 2022 1:33 AM
Last Modified
September 28, 2023 8:39 PM
CVSS Score
7.5 /10
Primary Ecosystem
Packagist
Primary Package
mpdf/mpdf
GitHub Reviewed
✓ Yes

Dataset

Last updated: July 1, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.