CVE-2022-41343 — Dompdf allows remote file inclusion because URI validation failure does not halt

Description

`registerFont` in `FontMetrics.php` in Dompdf before 2.0.1 allows remote file inclusion because a URI validation failure does not halt font registration, as demonstrated by a `@font-face` rule.

How to fix CVE-2022-41343

To remediate CVE-2022-41343, upgrade the affected package to a fixed version below.

Packagist/dompdf/dompdf—upgrade to 2.0.1 or later

Is CVE-2022-41343 being exploited?

Likely — EPSS is 54.0%, placing CVE-2022-41343 in the top tier of vulnerabilities by exploitation probability. Prioritise patching.

Affected packages (1)

from 0, < 2.0.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (9)

ADVISORYgithub.com/advisories/GHSA-6x28-7h8c-chx4
ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-41343
PATCHgithub.com/dompdf/dompdf
WEBgithub.com/dompdf/dompdf/commit/66431c58017d5b1bdb9f6f772b9fbbc5e3d38dc2
WEB