A critical logic flaw discovered in the widely used mPDF PHP library could expose internal networks and sensitive services on approximately 70 million devices worldwide.
The vulnerability stems from improper regular expression parsing, which allows attackers to issue unauthorized web requests even when user input appears sanitized.
mPDF, an open-source PHP library for generating PDFs from HTML, contains a dangerous vulnerability in its CSS parsing.
@import rulesThe library processes @import CSS rules without properly validating their location within the HTML document.
This oversight means attackers can craft malicious input that bypasses standard sanitization functions like htmlentities() and htmlspecialchars().
The vulnerability allows attackers to initiate Server-Side Request Forgery (SSRF) attacks and probe internal networks.
By injecting specially crafted @import directives, an attacker can force the vulnerable server to make requests to internal services, including Redis, MySQL, and other network-accessible applications.
The flaw is particularly dangerous because it works even when developers implement what they believe to be secure input sanitization.
Security researcher brun0ne discovered the flaw and demonstrated that attackers could exploit the Gopher protocol supported by cURL, which mPDF uses to make web requests and send arbitrary TCP data to internal services.
This enables port scanning of local networks and potentially arbitrary file writing via services such as Redis.
The researcher provided proof-of-concept code showing how the attack could be executed in a real-world scenario.
The discoverer reported the vulnerability to mPDF’s maintainers in May 2025 and requested a CVE identifier in late May.
However, the MITRE CVE organization rejected the request in October, arguing that the flaw constitutes intended behavior rather than a vulnerability.
The rejection claimed that mPDF users are responsible for implementing their own sanitization, not the library developers.
Despite the lack of an official CVE designation, the implications remain severe. Any application that uses mPDF to process user-controlled input is vulnerable to compromise.
Organizations currently using mPDF should implement additional input validation by blocking special characters, including @, (, ),:, /, or consider migrating to alternative PDF generation solutions with stronger security protections.
The vulnerability highlights a critical gap between library developers’ expectations and real-world security practices.
While the mPDF team maintains that applications using their library should implement proper input sanitization, the demonstration proves that standard PHP sanitization functions prove insufficient against this particular logic flaw.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and set GBH as a Preferred Source in Google.