Debian LTS: php-zip Important PHAR Deserialization 2025-4428-2
debian lts
December 30, 2025
Two vulnerabilities were discovered in php-dompdf, a PHP library to convert HTML to PDF
Topics Covered
Summary
CVE-2021-3838
php-dompdf is vulnerable to PHAR deserialization due to a lack of
checking on the protocol before passing it into the
file_get_contents() function. An attacker who can upload files of
any type to the server can pass in the phar:// protocol to
unserialize the uploaded file and instantiate arbitrary PHP
objects. This can lead to remote code execution, especially when
DOMPdf is used with frameworks with documented POP chains like
Laravel or vulnerable developer code
CVE-2022-2400
php-dompdf was vulnerable to External Control of File Name bypassing
unallowed access verification.
For Debian 11 bullseye, these problems have been fixed in version
0.6.2+dfsg-3.1+deb11u1.
We recommend that you upgrade your php-dompdf packages.
For the detailed security status of php-dompdf please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/php-dompdf
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: php-dompdf
Version: 0.6.2+dfsg-3.1+deb11u1
CVE ID: CVE-2021-3838 CVE-2022-2400
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!