Vulnerability vector:

• Base vulnerability score (CVSSv4.0): CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
• Severity (CVSSv4.0): 8.8 (high)

Description:
The vulnerability was identified in TCPDF, version 6.9.1.

This library has a class containing a POP (Property Oriented Programming) chain. When deserializing this class with certain values ​​of some fields, an attacker can delete an arbitrary file from the system.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 20.04.2025

Recommendations:

• Update to version 6.9.3 or higher

Additional information: Changelog

Researcher: Nikita Sveshnikov, Aleksey Solovev (Positive Technologies)