CVE-2024-22641

HIGH

TCPDF < 6.7.4 - Regular Expression Denial of Service via SVG File Parsing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-22641. PoCs published by zunak.

AI-analyzed exploit summary This repository contains a functional PoC for CVE-2024-22641, demonstrating a ReDoS vulnerability in TCPDF <= 6.7.4 when parsing a maliciously crafted SVG file. The PoC includes both the SVG payload and PHP code to trigger the vulnerability.

Description

TCPDF version 6.6.5 and before is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.

Exploits (1)

nomisec WORKING POC 1 stars

by zunak · poc

https://github.com/zunak/CVE-2024-22641

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2024-22641, demonstrating a ReDoS vulnerability in TCPDF <= 6.7.4 when parsing a maliciously crafted SVG file. The PoC includes both the SVG payload and PHP code to trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Dos

Complexity

Trivial

Reliability

Reliable

Target: TCPDF <= 6.7.4

No auth needed

Prerequisites: Ability to provide a crafted SVG file to the TCPDF parser

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html

Exploit, Third Party Advisory

https://github.com/zunak/CVE-2024-22641

Scores

CVSS v3 7.5

EPSS 0.0111

EPSS Percentile 61.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-434

Status published

Products (1)

tcpdf_project/tcpdf < 6.7.4

Published May 28, 2024

Tracked Since Feb 18, 2026