CVE intelligence and bounded remediation
CVE-2023-50262 — Dompdf is an HTML to PDF converter for PHP
Dompdf is an HTML to PDF converter for PHP. When parsing SVG images Dompdf performs an initial validation to ensure that paths within the SVG are allowed. One of the validations is that the SVG document does not reference itself. However, prior to version 2.0.4, a recursive chained using two or more SVG documents is not correctly validated. Depending on the system configuration and attack pattern this could exhaust the memory available to the executing process and/or to the server itself. php-svg-lib, when run in isolation, does not support SVG references for `image` elements. However, when used in combination with Dompdf, php-svg-lib will process SVG images referenced by an `image` element. Dompdf currently includes validation to prevent self-referential `image` references, but a chained reference is not checked. A malicious actor may thus trigger infinite recursion by chaining references between two or more SVG images. When Dompdf parses a malicious payload, it will crash due after exceeding the allowed execution time or memory usage. An attacker sending multiple request to a system can potentially cause resource exhaustion to the point that the system is unable to handle incomi…
- Severity
- High
- CVSS
- 7.5 (3.1)
- Published
- 2023-12-13
- CISA KEV
- Not currently listed
- Ecosystem
- software/application
- Weaknesses
- CWE-20, CWE-674
Affected products
- dompdf_project / dompdf
Matched remediation archetype
Resource exhaustion and denial of service
This catalog composition supplies bounded fallback guidance. Explicitly reviewed curated workflows load with the complete record below.
Check exposure
- Identify attacker-influenced work factors including input size, nesting, compression, fan-out, regex cost, allocation, recursion, retries, and connection lifetime.
- Map per-request and shared CPU, memory, disk, descriptor, thread, queue, and downstream-service limits.
- Determine whether authentication, tenancy, quotas, and rate controls apply before expensive processing begins.
Remediate safely
- Bound input size, nesting, expansion, work, concurrency, queue depth, retries, and execution time before resource-intensive processing.
- Release resources on every success, error, cancellation, and timeout path and use backpressure instead of unbounded buffering.
- Update affected components and add small deterministic tests that assert resource ceilings rather than exhausting a host.
Authoritative sources
Complete CVE record and remediation plan
The detailed catalog view below loads this exact record, its source evidence, and the full seven-phase agentic change plan.