CVE-2023-50262: 
PHP vulnerability analysis and mitigation

Dompdf, an HTML to PDF converter for PHP, was found to contain a vulnerability (CVE-2023-50262) affecting versions prior to 2.0.4. The vulnerability was disclosed on December 13, 2023, and involves improper validation of SVG image references that could lead to resource exhaustion (GitHub Advisory).

The vulnerability stems from insufficient validation of SVG image references. While Dompdf performs initial validation to prevent self-referential SVG documents, it fails to properly validate recursive chaining between two or more SVG documents. The php-svg-lib component, when used with Dompdf, processes SVG images referenced by image elements, but the chained reference validation is incomplete. This vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by NVD and 5.3 (MEDIUM) by GitHub, with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (NVD, GitHub Advisory).

When exploited, this vulnerability can cause the system to crash after exceeding the allowed execution time or memory usage. Multiple malicious requests can potentially lead to resource exhaustion, rendering the system unable to handle incoming requests. The impact primarily affects system availability without compromising confidentiality or integrity (GitHub Advisory).

The vulnerability has been fixed in Dompdf version 2.0.4. Users are advised to upgrade to this version or later to mitigate the risk. The fix includes improved SVG file reference recursion validation to prevent circular references across SVG documents (GitHub Advisory).