Rapid7

module

Dompdf RCE via Malicious Font Caching (CVE-2022-28368)

Try Surface Command
Back to search
Disclosed
Apr 5, 2022
Created
May 21, 2026

Description

This module exploits CVE-2022-28368, a Remote Code Execution vulnerability
in dompdf versions prior to 1.2.1. The vulnerability exists because dompdf
preserves the original file extension when caching fonts downloaded via CSS
@font-face rules. By pointing a @font-face src to a .php file containing a
valid TrueType font header with embedded PHP code, the file is saved in the
dompdf font cache (lib/fonts/) with its .php extension intact. The cached
file can then be executed by directly requesting it from the web server.

For dompdf versions $isRemoteEnabled setting. For versions 0.8.6 through 1.2.0, the
$isRemoteEnabled option must be set to true.

This module requires the ability to inject HTML/CSS into the data processed
by dompdf (e.g., via an XSS, a user-controlled form field, or a direct
parameter) and that the dompdf font cache directory is web-accessible.

Authors

Maximilian Kirchmeier
Fabian Bräunlein
rvizx
msutovsky-r7
Adithya Pawar

Platform

PHP

Architectures

php

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':


    msf > use exploit/multi/http/dompdf_rce_cve_2022_28368
    msf exploit(dompdf_rce_cve_2022_28368) > show targets
        ...targets...
    msf exploit(dompdf_rce_cve_2022_28368) > set TARGET < target-id >
    msf exploit(dompdf_rce_cve_2022_28368) > show options
        ...show and set options...
    msf exploit(dompdf_rce_cve_2022_28368) > exploit
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report