pontedilana/php-weasyprint <= 2.5.0 Shell Command Injection

A shell-command injection vulnerability was discovered in pontedilana/php-weasyprint versions <= 2.5.0. The buildCommand method uses escapeshellarg() then checks the quoted result with is_executable(), which always fails because the quotes are part of the string. The raw $binary is then used in Process::fromShellCommandline(), allowing injection if the binary path is configurable.

All users of pontedilana/php-weasyprint <= 2.5.0 who source the binary path from configuration, environment variables, or per-tenant settings. Any deployment where an attacker can influence the binary string can achieve remote code execution.

Upgrade to version 2.5.1 or apply the provided patch: replace the buildCommand guard with is_executable($binary) check and then escapeshellarg().