CVE-2024-25117 Overview
CVE-2024-25117 is a critical vulnerability in php-svg-lib, a scalable vector graphics (SVG) file parsing and rendering library used primarily as a dependency in PHP projects such as Dompdf. The vulnerability exists because php-svg-lib fails to validate that the font-family CSS property doesn't contain a PHAR URL, which can lead to Remote Code Execution (RCE) on PHP versions prior to 8.0. Additionally, the library does not validate whether external references are allowed, creating multiple attack vectors.
Critical Impact
This vulnerability enables unauthenticated remote attackers to achieve code execution by injecting malicious PHAR URLs through SVG font-family attributes, potentially compromising any application using php-svg-lib as a dependency.
Affected Products
- dompdf php-svg-lib (versions prior to 0.5.2)
- PHP versions below 8.0 (when used with vulnerable php-svg-lib)
- Applications using Dompdf for PDF generation with SVG support
Discovery Timeline
- February 21, 2024 - CVE-2024-25117 published to NVD
- February 5, 2025 - Last updated in NVD database
Technical Details for CVE-2024-25117
Vulnerability Analysis
The vulnerability resides in how php-svg-lib parses CSS style attributes within SVG files. Specifically, the Style::fromAttributes() and Style::parseCssStyle() functions fail to sanitize or validate the font-family property for malicious content. An attacker can craft an SVG file containing a font-family attribute that references a PHAR (PHP Archive) URL instead of a legitimate font name.
When this unsanitized font name is passed to downstream libraries or processed by the PHP interpreter, the PHAR stream wrapper can be triggered, leading to deserialization of attacker-controlled data. On PHP versions below 8.0, this can result in arbitrary code execution through PHP object injection attacks via PHAR deserialization.
The library has existing validation in Style::fromStyleSheets() that could prevent this attack, but this same validation was not applied consistently to the Style::fromAttributes() and Style::parseCssStyle() methods, creating an inconsistent security boundary.
Root Cause
The root cause is a failure to implement consistent input validation across all entry points that process the font-family CSS property. While external reference checks exist in some code paths, the Style::fromAttributes() and Style::parseCssStyle() functions bypass these security controls, allowing PHAR URLs and other potentially dangerous external references to be processed without restriction. This inconsistency in validation logic, combined with PHP's automatic PHAR stream wrapper handling, creates the exploitable condition.
Attack Vector
The attack leverages network-accessible endpoints that process SVG content. An attacker can submit a maliciously crafted SVG file to any application endpoint that uses php-svg-lib for SVG parsing (commonly through Dompdf for PDF generation). The attack requires no authentication or user interaction, making it particularly dangerous for applications that accept user-uploaded SVG files or generate PDFs from user-supplied content.
The exploitation flow involves:
- Crafting an SVG file with a malicious font-family attribute containing a PHAR URL
- Uploading or submitting the SVG to a vulnerable application
- When php-svg-lib parses the SVG, the malicious font-family value is extracted without sanitization
- The PHAR URL triggers PHP's stream wrapper, causing deserialization of attacker-controlled objects
- Through a carefully crafted POP chain, arbitrary code execution is achieved
Since no verified proof-of-concept code is available, readers should consult the GitHub Security Advisory for detailed technical information about the vulnerability mechanism.
Detection Methods for CVE-2024-25117
Indicators of Compromise
- SVG files containing font-family attributes with phar:// protocol references
- Unusual file access patterns to .phar files on the web server
- PHP errors related to PHAR deserialization or stream wrapper issues in application logs
- Unexpected outbound network connections following SVG processing operations
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect SVG uploads containing phar:// strings in any attribute
- Monitor application logs for PHP deserialization errors or PHAR-related warnings
- Use static analysis tools to identify code paths that process SVG content without proper input validation
- Deploy endpoint detection solutions capable of identifying suspicious PHP process behavior following file upload events
Monitoring Recommendations
- Enable verbose logging for all SVG processing and PDF generation operations
- Set up alerts for any file system access to PHAR archives from web application processes
- Monitor for creation of unexpected PHP files or modifications to existing application code
- Implement file integrity monitoring on critical application directories
How to Mitigate CVE-2024-25117
Immediate Actions Required
- Upgrade php-svg-lib to version 0.5.2 or later immediately
- Audit all applications using Dompdf or php-svg-lib as dependencies for exposure
- Implement server-side validation to reject SVG files containing phar:// URLs before processing
- Consider upgrading PHP to version 8.0 or later, which includes protections against PHAR deserialization attacks
Patch Information
The vulnerability has been fixed in php-svg-lib version 0.5.2. The fix implements proper validation of the font-family attribute to prevent PHAR URLs and external references from being processed. Security patches are available through the following commits:
For detailed information about the security fix, see the GitHub Security Advisory.
Workarounds
- Implement pre-processing validation to strip or reject SVG files containing suspicious font-family values
- Disable PHAR stream wrapper in PHP configuration if not required by your application
- Restrict file upload functionality to prevent SVG files from being processed until patching is complete
- Apply additional validation in consuming applications to double-check fontName values received from php-svg-lib
# Disable PHAR stream wrapper in php.ini (temporary mitigation)
# Add the following to your PHP configuration:
# Note: This may break applications that legitimately use PHAR archives
# In php.ini:
# phar.readonly = 1
#
# Or use stream_wrapper_unregister in application bootstrap:
# stream_wrapper_unregister('phar');
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
