CVE-2022-50897
Unknown Unknown - Not Provided
Local File Inclusion in mPDF 7.0 Enables Arbitrary File Read

Publication date: 2026-01-13

Last updated on: 2026-02-02

Assigner: VulnCheck

Description
mPDF 7.0 contains a local file inclusion vulnerability that allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can generate URL-encoded or base64 payloads to include local files through crafted annotation content with file path specifications.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-13
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-14
EPSS Evaluated
2026-06-15
NVD
CVE-2022-50897
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mpdf mpdf 7.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2022-50897 is a local file inclusion (LFI) vulnerability in mPDF version 7.0. It allows attackers to read arbitrary system files by manipulating annotation file parameters. Attackers can craft annotation content with file path specifications encoded in URL-encoded or base64 formats to include local files on the server. This happens because mPDF improperly handles file inclusion in its annotation processing, enabling attackers to access sensitive files without authorization. [1, 2]

Impact Analysis

This vulnerability can allow attackers to read arbitrary files on the server where mPDF 7.0 is used. This can lead to exposure of sensitive information such as configuration files, credentials, or other private data stored on the system. Since no privileges or user interaction are required, an attacker can remotely exploit this vulnerability to gain unauthorized access to sensitive system files, potentially compromising the security of the affected system. [1, 2]

Detection Guidance

This vulnerability can be detected by checking for the presence of crafted annotation payloads that include URL-encoded or base64-encoded file path specifications targeting mPDF 7.0. One approach is to monitor HTTP requests or application logs for suspicious annotation parameters containing encoded file paths. Additionally, using the provided Python3 exploit script from Resource 2, you can generate test payloads to verify if your system is vulnerable by injecting these payloads and observing if local files are included or disclosed. Specific commands would involve capturing and inspecting web traffic or logs for patterns matching the XML annotation payload format, such as searching for '<annotation file=' strings with encoded content. However, no explicit detection commands are provided in the resources. [2]

Mitigation Strategies

Immediate mitigation steps include sanitizing and validating all user inputs, especially those related to annotation file parameters in mPDF, to prevent injection of malicious file paths. Restrict or disable the use of annotation file parameters if not required. Update or patch mPDF to a version where this vulnerability is fixed if available. If an update is not possible, implement strict access controls and input filtering on the server side to block attempts to include local files via crafted annotation content. Monitoring and logging suspicious activities related to annotation parameters can also help in early detection and response. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2022-50897. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart