php · pontedilana/php-weasyprintCritical
pontedilana/php-weasyprint: PHAR deserialization via phar:// blacklist bypass
A case-insensitive bypass of the phar:// blacklist in prepareOutput() allows PHAR deserialization on PHP < 8, leading to remote code execution.
What changed
A case-insensitive bypass of the phar:// blacklist in prepareOutput() allows PHAR deserialization on PHP < 8, leading to remote code execution.
Who it affects
All users of pontedilana/php-weasyprint <= 2.5.1, especially those running PHP 7 with attacker-controlled output filenames and ability to place PHAR archives.
What to do today
Upgrade to version 2.6.0 or apply the suggested fix using a scheme allow-list.
The trail
Collected→
Audited→
Written→
Published