CVE-2025-54869

MEDIUM

FPDI < 2.6.3 - Denial of Service via Malicious PDF File

Title source: llm

Description

FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. In versions 2.6.2 and below, any application that uses FPDI to process user-supplied PDF files is at risk, causing a Denial of Service (DoS) vulnerability. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability. This issue is fixed in version 2.6.3.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/Setasign/FPDI/security/advisories/GHSA-jxhh-4648-vpp3

Patch x_refsource_misc

https://github.com/Setasign/FPDI/commit/ba671ba9221cffd32c2dda87316c19f522a1c5f0

View Patch ZIP pw:eip

Scores

CVSS v4 6.0

EPSS 0.0028

EPSS Percentile 19.4%

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (2)

setasign/fpdi 0 - 2.6.4Packagist

Setasign/FPDI < 2.6.3

Published Aug 06, 2025

Tracked Since Feb 18, 2026