GHSA-97m3-52wr-xvv2: 
PHP vulnerability analysis and mitigation

A critical vulnerability (GHSA-97m3-52wr-xvv2) was discovered in dompdf's usage of phenx/php-svg-lib affecting versions below 0.5.2. The vulnerability stems from a lack of sanitization in the font path handling, which was disclosed on February 21, 2024. The issue affects the dompdf library when using the vulnerable version of phenx/php-svg-lib, particularly impacting systems processing SVG files with inline CSS font definitions (GitHub Advisory).

The vulnerability exists in the openFont function of lib/Cpdf.php where the $font variable from php-svg-lib isn't properly validated. The issue occurs when processing font paths, where $name and $dir variables can be controlled through CSS. When a font named 'phar:///foo/bar/baz.phar/test' is processed, it sets $name to 'test' and $dir to 'phar:///foo/bar/baz.phar', leading to potential exploitation. The vulnerability has received a Critical severity rating with a CVSS score of 10.0, indicating maximum severity across confidentiality, integrity, and availability impacts (GitHub Advisory).

The vulnerability can be exploited to call arbitrary URLs with arbitrary protocols if an attacker can force dompdf to parse an SVG with an inline CSS property using a malicious font-family. For PHP versions prior to 8.0.0, this leads to arbitrary unserialization, resulting in potential arbitrary file deletion and possible remote code execution depending on available classes. The vulnerability can also bypass allowed protocols configured in dompdf, enabling Server-Side Request Forgery (SSRF) attacks (GitHub Advisory).

The vulnerability has been patched in version 0.5.2 of phenx/php-svg-lib. Users are strongly advised to upgrade to this version or later to address the security issue. The fix includes proper validation of font paths and improved handling of external references (GitHub Advisory).