CIVI-SA-2023-06: Dompdf 2.0.3

2023-02-15 12:00
Written by
dev-team - member of the CiviCRM community - view blog guidelines

The "dompdf" library has a vulnerability which allows remote code execution. It may be exploited by some backend users.

Security Risk
Arbitrary PHP Code Execution
Affected Versions

CiviCRM version 5.58.0 (and earlier), 5.57.3 (and earlier)

Fixed Versions

CiviCRM version 5.58.1, 5.57.4 (ESR)

Publication Date

Upgrade to the fixed version of CiviCRM

Alternatively, if you cannot upgrade CiviCRM, you MAY be able to manually upgrade dompdf (on Drupal 8/9). In your site-root, download the secure version:

composer require 'dompdf/dompdf:~2.0.3'

NOTE: This is useful as a short-term override. In the future, when you have a chance to update CiviCRM, you will need to edit composer.json and remove this override.