diff --git a/include/class.pdf.php b/include/class.pdf.php
index 5e0b76371a55886d90e1353c886064fcff931c42..14c7b20c97c0dd948a7f87f2a8a472c8daa92b5e 100644
--- a/include/class.pdf.php
+++ b/include/class.pdf.php
@@ -19,6 +19,9 @@ define('THIS_DIR', str_replace('\\', '/', Misc::realpath(dirname(__FILE__))) . '
 
 require_once(INCLUDE_DIR.'mpdf/vendor/autoload.php');
 
+// unregister phar stream to mitigate vulnerability in mpdf library
+@stream_wrapper_unregister('phar');
+
 class mPDFWithLocalImages extends Mpdf {
     function WriteHtml($html, $sub = 0, $init = true, $close = true) {
         static $filenumber = 1;
diff --git a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
index eabda53c3c74f1d385a3dd5782dca78131c8812b..a78362033d43265112577b87e9239d69d61895ef 100644
--- a/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
+++ b/include/mpdf/vendor/mpdf/mpdf/src/CssManager.php
@@ -2224,6 +2224,17 @@ class CssManager
 			$path = preg_replace('/\.css\?.*$/', '.css', $path);
 		}
 
+        /*** Start osTicket Security Patch ***/
+
+        // Make sure only schemes allowed are http & https - this is to
+        // neutralize phar:// attack
+        $scheme = parse_url($path, PHP_URL_SCHEME);
+        if ($scheme && !in_array(strtolower($scheme), ['http', 'https']))
+            return '';
+
+        /*** End osTicket Security Patch ***/
+
+
 		$contents = @file_get_contents($path);
 
 		if ($contents) {