Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (https://github.com/Setasign/FPDI) · only source for this CVE.
CVSS VectorVendor: https://github.com/Setasign/FPDI
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Impact
This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion or a script time-out. Repeated attacks can lead to sustained service unavailability.
Patches
Fixed as of version 2.6.7
Workarounds
No.
References
No.
AnalysisAI
Memory exhaustion and endless loop in Setasign FPDI (composer package setasign/fpdi) allow remote attackers to crash PHP server-side scripts by uploading a small, specially crafted PDF file. All versions prior to 2.6.7 are affected, and any web application that exposes FPDI-based PDF processing to user-supplied input is vulnerable. Repeated submissions can sustain service unavailability; no public exploit has been identified at time of analysis, and no CISA KEV listing exists.
Technical ContextAI
FPDI is a PHP composer library (setasign/fpdi) used to import and process existing PDF documents server-side. The root cause maps to CWE-770 (Allocation of Resources Without Limits or Throttling): when parsing a maliciously structured PDF, the library fails to bound memory allocation or detect and break from infinite parsing loops. PHP scripts executing FPDI will either exhaust available server memory or hit the configured script execution time-out (max_execution_time), causing a fatal crash. The vulnerability is triggered during PDF structure traversal - likely in cross-reference table or object stream parsing - where a crafted input causes unbounded resource consumption.
RemediationAI
Upgrade the composer package setasign/fpdi to version 2.6.7 or later by running 'composer update setasign/fpdi' or pinning '^2.6.7' in composer.json. This is the vendor-released patch per the GitHub advisory at https://github.com/Setasign/FPDI/security/advisories/GHSA-2mgw-7q6p-8grg; no workarounds are offered by the vendor. As a compensating control pending upgrade, operators should restrict access to PDF upload endpoints to authenticated and trusted users only, enforce server-side file size limits before passing files to FPDI (e.g., reject PDFs above a configured threshold), and set conservative PHP memory_limit and max_execution_time values to contain the blast radius of an attack - note that tight time-out values may also affect legitimate large PDF processing.
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36305
GHSA-2mgw-7q6p-8grg