Impact
PhpWeasyPrint is a PHP library used to generate PDFs from URLs or HTML content. A case‑sensitive blacklist was used to block the 'phar://' stream wrapper in the output filename, but PHP stream wrappers are case‑insensitive. An attacker can supply 'PHAR://', 'Phar://', or other uppercase variations to bypass the check and cause the library to call file_exists on a crafted PHAR archive. In PHP 7.4+ this leads to deserialization of the archive’s metadata, allowing arbitrary code execution. The flaw is a deserialization vulnerability (CWE‑502). Version 2.6.0 of the library contains the patch that removes the case‑sensitive bypass.
Affected Systems
The vulnerable product is the PHP‑based library pontedilana/php-weasyprint. All releases before version 2.6.0, which include support for PHP 7.4 and newer, are affected. The library is typically embedded in web applications or scripts that generate PDFs, so any system using those versions is at risk.
Risk and Exploitability
The CVSS score of 8.1 indicates high severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog. Successful exploitation requires that the application supply a user‑controlled output filename to the library; the vulnerability is not exposed as a standalone network service. Based on the description, it is inferred that an attacker can influence the filename through web forms, APIs, or other input mechanisms. If the check is bypassed, the attacker gains remote code execution on the host running the PHP process.
OpenCVE Enrichment
Github GHSA