Vulnerability vector:

• Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
• Severity (CVSSv4.0): 8.7 (high)

Description:

The vulnerability was identified in TCPDF, version 6.8.2.

The application performs insufficient validation of user input data. Decoding user input allows an attacker to form a path to an arbitrary image on the server, access to which is not provided by the logic of the application, with subsequent inclusion of it in the generated PDF file.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 03.04.2025

Recommendations:

• Update to version 6.9.1 or higher

Additional information: Changelog

Researcher: Aleksey Solovev (Positive Technologies)