Skip to main content

Setasign FPDI CVE-2026-45802

| EUVDEUVD-2026-36305 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-05-19 https://github.com/Setasign/FPDI GHSA-2mgw-7q6p-8grg
6.0
CVSS 4.0 · Vendor: https://github.com/Setasign/FPDI
Share

Severity by source

Vendor (https://github.com/Setasign/FPDI) PRIMARY
6.0 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (https://github.com/Setasign/FPDI) · only source for this CVE.

CVSS VectorVendor: https://github.com/Setasign/FPDI

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 11, 2026 - 20:22 NVD
6.0 (MEDIUM)
Source Code Evidence Fetched
May 19, 2026 - 20:17 vuln.today
Analysis Generated
May 19, 2026 - 20:17 vuln.today

DescriptionCVE.org

Impact

This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability.

Patches

Fixed as of version 2.6.7

Workarounds

No.

References

No.

AnalysisAI

Memory exhaustion and endless loop in Setasign FPDI (composer package setasign/fpdi) allow remote attackers to crash PHP server-side scripts by uploading a small, specially crafted PDF file. All versions prior to 2.6.7 are affected, and any web application that exposes FPDI-based PDF processing to user-supplied input is vulnerable. Repeated submissions can sustain service unavailability; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.

Technical ContextAI

FPDI is a PHP composer library (setasign/fpdi) used to import and process existing PDF documents server-side. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling): when parsing a maliciously structured PDF, the library fails to bound memory allocation or detect and break from infinite parsing loops. PHP scripts executing FPDI will either exhaust available server memory or hit the configured script execution time-out (max_execution_time), causing a fatal crash. The vulnerability is triggered during PDF structure traversal - likely in cross-reference table or object stream parsing - where a crafted input causes unbounded resource consumption.

RemediationAI

Upgrade the composer package setasign/fpdi to version 2.6.7 or later by running 'composer update setasign/fpdi' or pinning '^2.6.7' in composer.json. This is the vendor-released patch per the GitHub advisory at https://github.com/Setasign/FPDI/security/advisories/GHSA-2mgw-7q6p-8grg; no workarounds are offered by the vendor. As a compensating control pending upgrade, operators should restrict access to PDF upload endpoints to authenticated and trusted users only, enforce server-side file size limits before passing files to FPDI (e.g., reject PDFs above a configured threshold), and set conservative PHP memory_limit and max_execution_time values to contain the blast radius of an attack - note that tight time-out values may also affect legitimate large PDF processing.

Share

CVE-2026-45802 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy