{"uuid": "38eae907-528c-44bd-8a63-f4192eabf78d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2022-28368", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb", "content": "{\"aliases\": [], \"arch\": \"php\", \"author\": [\"Maximilian Kirchmeier\", \"Fabian Br\\u00e4unlein\", \"rvizx\", \"msutovsky-r7\", \"Adithya Pawar\"], \"autofilter_ports\": [80, 8080, 443, 8000, 8888, 8880, 8008, 3000, 8443], \"autofilter_services\": [\"http\", \"https\"], \"check\": true, \"default_credential\": false, \"description\": \"This module exploits CVE-2022-28368, a Remote Code Execution vulnerability\\n          in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf\\n          preserves the original file extension when caching fonts downloaded via CSS\\n          @font-face rules. By pointing a @font-face src to a .php file containing a\\n          valid TrueType font header with embedded PHP code, the file is saved in the\\n          dompdf font cache (lib/fonts/) with its .php extension intact. The cached\\n          file can then be executed by directly requesting it from the web server.\\n\\n          For dompdf versions <= 0.8.5, remote font loading works regardless of the\\n          $isRemoteEnabled setting. For versions 0.8.6 through 1.2.0, the\\n          $isRemoteEnabled option must be set to true.\\n\\n          This module requires the ability to inject HTML/CSS into the data processed\\n          by dompdf (e.g., via an XSS, a user-controlled form field, or a direct\\n          parameter) and that the dompdf font cache directory is web-accessible.\", \"disclosure_date\": \"2022-04-05\", \"fullname\": \"exploit/multi/http/dompdf_rce_cve_2022_28368\", \"is_install_path\": true, \"mod_time\": \"2026-05-20 15:50:16 +0000\", \"name\": \"Dompdf RCE via Malicious Font Caching (CVE-2022-28368)\", \"needs_cleanup\": true, \"notes\": {\"Reliability\": [\"repeatable-session\"], \"SideEffects\": [\"artifacts-on-disk\", \"ioc-in-logs\"], \"Stability\": [\"crash-safe\"]}, \"path\": \"/modules/exploits/multi/http/dompdf_rce_cve_2022_28368.rb\", \"platform\": \"PHP\", \"post_auth\": false, \"rank\": 600, \"ref_name\": \"multi/http/dompdf_rce_cve_2022_28368\", \"references\": [\"CVE-2022-28368\", \"GHSA-56gj-mvh6-rp75\", \"URL-https://positive.security/blog/dompdf-rce\", \"URL-https://github.com/rvizx/CVE-2022-28368\"], \"rport\": 80, \"session_types\": false, \"targets\": [\"PHP\"], \"type\": \"exploit\"}", "creation_timestamp": "2026-05-21T04:46:43.000000Z"}