CVE-2024-22640 – TCPDF versions up to 6.6.5 contain a ReDoS vuln... (How to Fix)

Q: How do I fix CVE-2024-22640?

1. Update TCPDF to version 6.6.6 or later. 2. Replace the TCPDF library files with the patched version. 3. Test PDF generation functionality.

Q: What is the severity of CVE-2024-22640?

CVE-2024-22640 has a CVSS score of 7.5 (HIGH). TCPDF versions up to 6.6.5 contain a ReDoS vulnerability in color parsing that allows attackers to cause denial of service by providing specially crafted HTML with malicious color values. This affects any application using TCPDF to generate PDFs from untrusted HTML input. The vulnerability can cause excessive CPU consumption and service unavailability.

📋 TL;DR

TCPDF versions up to 6.6.5 contain a ReDoS vulnerability in color parsing that allows attackers to cause denial of service by providing specially crafted HTML with malicious color values. This affects any application using TCPDF to generate PDFs from untrusted HTML input. The vulnerability can cause excessive CPU consumption and service unavailability.

💻 Affected Systems

Products:

TCPDF

Versions: <= 6.6.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when parsing HTML with color attributes. Applications that don't use TCPDF's HTML parsing or sanitize input first may not be affected.

📦 What is this software?

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Tcpdf by Tcpdf Project

View all CVEs affecting Tcpdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, potentially affecting multiple users or systems if the PDF generation service is shared.

🟠

Likely Case

Degraded performance or temporary unavailability of PDF generation functionality for affected requests.

🟢

If Mitigated

Minimal impact if input validation filters malicious color patterns before reaching TCPDF.

🌐 Internet-Facing: HIGH - Any internet-facing service using TCPDF to process user-submitted HTML could be targeted.

🏢 Internal Only: MEDIUM - Internal systems could be affected if they process untrusted HTML content.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof of concept available on GitHub. Exploitation requires ability to submit HTML to be processed by TCPDF.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.6

Vendor Advisory: https://github.com/tecnickcom/TCPDF

Restart Required: No

Instructions:

1. Update TCPDF to version 6.6.6 or later. 2. Replace the TCPDF library files with the patched version. 3. Test PDF generation functionality.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize HTML input before passing to TCPDF, particularly color attributes.

Rate Limiting

all

Implement rate limiting on PDF generation endpoints to prevent repeated exploitation attempts.

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize color attributes in HTML
Monitor CPU usage on PDF generation services and implement circuit breakers

🔍 How to Verify

Check if Vulnerable:

Check TCPDF version in code or composer.json. If version <= 6.6.5 and HTML parsing is used, system is vulnerable.

Check Version:

Check composer.json for "tecnickcom/tcpdf" version or examine TCPDF.php file for version constant.

Verify Fix Applied:

Verify TCPDF version is 6.6.6 or later. Test with known malicious color patterns to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

High CPU usage on PDF generation processes
Long-running PDF generation requests
Multiple failed PDF generation attempts

Network Indicators:

Repeated requests to PDF generation endpoints with HTML payloads
Unusually large HTML payloads containing color attributes

SIEM Query:

source="web_server" AND (uri="*/pdf*" OR uri="*/generate*" OR method="POST") AND status="500" AND duration>10s

📊 Metadata

CVE ID: CVE-2024-22640

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-1333

Published: April 19, 2024

Last Updated: November 4, 2025

🔗 References

https://github.com/tecnickcom/TCPDF Product
https://github.com/zunak/CVE-2024-22640 Exploit,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/ Third Party Advisory
https://github.com/tecnickcom/TCPDF Product
https://github.com/zunak/CVE-2024-22640 Exploit,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LIB3R2WB7XPW2I4PGVMZ3VLFLRHOK4RB/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22640, you might also want to check these: