CVE-2025-54869

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/Setasign/FPDI/commit/ba671ba9221cffd32c2dda87316c19f522a1c5f0
https://github.com/Setasign/FPDI/security/advisories/GHSA-jxhh-4648-vpp3

Configurations

No configuration.

History

06 Aug 2025, 20:23

Type	Values Removed	Values Added
Summary		(es) FPDI es una colección de clases PHP que facilita la lectura de páginas de documentos PDF existentes y su uso como plantillas en FPDF. En las versiones 2.6.2 y anteriores, cualquier aplicación que utilice FPDI para procesar archivos PDF proporcionados por el usuario está en riesgo, lo que provoca una vulnerabilidad de denegación de servicio (DoS). Un atacante puede cargar un archivo PDF pequeño y malicioso que provocará el bloqueo del script del servidor por agotamiento de memoria. Los ataques repetidos pueden provocar la indisponibilidad prolongada del servicio. Este problema se solucionó en la versión 2.6.3.

06 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-06 00:15

Updated : 2025-08-06 20:23

NVD link : CVE-2025-54869

Mitre link : CVE-2025-54869

CVE.ORG link : CVE-2025-54869

JSON object : View

Products Affected

No product.

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-54869", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.0, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-06T00:15:31.197", "references": [{"url": "https://github.com/Setasign/FPDI/commit/ba671ba9221cffd32c2dda87316c19f522a1c5f0", "source": "security-advisories@github.com"}, {"url": "https://github.com/Setasign/FPDI/security/advisories/GHSA-jxhh-4648-vpp3", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3."}, {"lang": "es", "value": "FPDI es una colecci\u00f3n de clases PHP que facilita la lectura de p\u00e1ginas de documentos PDF existentes y su uso como plantillas en FPDF. En las versiones 2.6.2 y anteriores, cualquier aplicaci\u00f3n que utilice FPDI para procesar archivos PDF proporcionados por el usuario est\u00e1 en riesgo, lo que provoca una vulnerabilidad de denegaci\u00f3n de servicio (DoS). Un atacante puede cargar un archivo PDF peque\u00f1o y malicioso que provocar\u00e1 el bloqueo del script del servidor por agotamiento de memoria. Los ataques repetidos pueden provocar la indisponibilidad prolongada del servicio. Este problema se solucion\u00f3 en la versi\u00f3n 2.6.3."}], "lastModified": "2025-08-06T20:23:52.133", "sourceIdentifier": "security-advisories@github.com"}