CVE-2014-2383

Name: CVE-2014-2383
Creator: NVD / NIST
Published: 2014-04-28T14:09:06.707+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 39.37%

Last modified Jun 17, 2026

CVE-2014-2383 is a vulnerability of currently unknown severity. dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.. EPSS estimates a 39.37% chance of exploitation in the next 30 days.

Description

dompdf.php in dompdf before 0.6.1, when DOMPDF_ENABLE_PHP is enabled, allows context-dependent attackers to bypass chroot protections and read arbitrary files via a PHP protocol and wrappers in the input_file parameter, as demonstrated by a php://filter/read=convert.base64-encode/resource in the input_file parameter.

Metrics

EPSS Probability

39.37%

98.4th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-200

Affected Software

Vendor	Product	Versions	Update
Dompdf	Dompdf	<= 0.6.0	Beta3

References

http://seclists.org/fulldisclosure/2014/Apr/258Mailing List, Third Party Advisory
http://www.securityfocus.com/archive/1/531912/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
https://explore.avertium.com/resource/lfi-rfi-escalation-to-rce
https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028Patch, Third Party Advisory
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/Broken Link
http://seclists.org/fulldisclosure/2014/Apr/258Mailing List, Third Party Advisory
http://www.securityfocus.com/archive/1/531912/100/0/threadedBroken Link, Third Party Advisory, VDB Entry
https://explore.avertium.com/resource/lfi-rfi-escalation-to-rce
https://github.com/dompdf/dompdf/commit/23a693993299e669306929e3d49a4a1f7b3fb028Patch, Third Party Advisory
https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2383/Broken Link

Timeline

Published: Apr 28, 2014
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2014-2383?

How severe is CVE-2014-2383?

Severity scoring for CVE-2014-2383 is pending analysis. The EPSS model estimates a 39.37% probability of exploitation in the next 30 days.

How do I fix CVE-2014-2383?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2014-2383?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST