Vulnerability description
Presentation of Html2Pdf
"Html2Pdf is an HTML to PDF converter written in PHP, and compatible with PHP 5.6 to 7.4. It allows the conversion of valid
HTML in PDF format, to generate documents like invoices, documentation, … You have to write a code of HTML for
Html2Pdf, and not try to convert directly an already existing html page. Specific tags have been implemented, to adapt the
html standard to a PDF usage. You must use Composer to install this library. It uses TCPDF for the PDF part."
1
The issue
During a security assessment, Synacktiv consultants found a vulnerability in the PDF generation mechanism, leading to blind
Server-Side Request Forgery as well as Remote Code Execution on the server running the Html2Pdf library.
Indeed, the CSS parser of the Html2Pdf library performs a call to the PHP function file_get_contents, with an argument
entirely controlled by the attacker. This function supports several protocols, among which the HTTP(S) and PHAR protocols.
Thus, an attacker can perform a blind Server-Side Request Forgery attack using the http(s):// wrapper, and in PHP 7 and
below, trigger the deserialization of PHP archives metadata using the phar:// wrapper.
Affected versions
The Html2Pdf library versions 4.03 and above are vulnerable. Please note that researchers were not able to check if an older
version was vulnerable, as version 4.03 is the oldest version of the library available on GitHub.
Fix status
The issue was fixed in version 5.2.4. Consider updating html2pdf to this version.
Timeline
Date Action
2021-12-15 Vulnerabilities identified.
2021-12-15 Advisory writing.
2021-12-16 Html2Pdf version 5.2.4 released.
2022-01-06 The MITRE Corporation attributed CVE-2021-45394.
2022-01-14 Advisory released.
1 https://github.com/spipu/html2pdf
2/4