CVE-2022-50897
Local File Inclusion in mPDF 7.0 Enables Arbitrary File Read
Publication date: 2026-01-13
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mpdf | mpdf | 7.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-98 | The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50897 is a local file inclusion (LFI) vulnerability in mPDF version 7.0. It allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can craft annotation content with file path specifications encoded in URL-encoded or base64 formats to include local files on the server. This happens because mPDF improperly handles file inclusion in its annotation processing, enabling attackers to access sensitive files without authorization. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow attackers to read arbitrary files on the server where mPDF 7.0 is used. This can lead to exposure of sensitive information such as configuration files, credentials, or other private data stored on the system. Since no privileges or user interaction are required, an attacker can remotely exploit this vulnerability to gain unauthorized access to sensitive system files, potentially compromising the security of the affected system. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of crafted annotation payloads that include URL-encoded or base64-encoded file path specifications targeting mPDF 7.0. One approach is to monitor HTTP requests or application logs for suspicious annotation parameters containing encoded file paths. Additionally, using the provided Python3 exploit script from Resource 2, you can generate test payloads to verify if your system is vulnerable by injecting these payloads and observing if local files are included or disclosed. Specific commands would involve capturing and inspecting web traffic or logs for patterns matching the XML annotation payload format, such as searching for '<annotation file=' strings with encoded content. However, no explicit detection commands are provided in the resources. [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially those related to annotation file parameters in mPDF, to prevent injection of malicious file paths. Restrict or disable the use of annotation file parameters if not required. Update or patch mPDF to a version where this vulnerability is fixed if available. If an update is not possible, implement strict access controls and input filtering on the server side to block attempts to include local files via crafted annotation content. Monitoring and logging suspicious activities related to annotation parameters can also help in early detection and response. [3]