Login Sign Up

CVE-2024-22641

7.5 HIGH
Denial of Service

📋 TL;DR

TCPDF versions 6.6.5 and earlier contain a Regular Expression Denial of Service (ReDoS) vulnerability when processing untrusted SVG files. Attackers can craft malicious SVG files that cause excessive CPU consumption, potentially leading to service disruption. This affects any application using TCPDF to generate PDFs from user-supplied SVG content.

💻 Affected Systems

Products:
  • TCPDF
Versions: 6.6.5 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when processing SVG files from untrusted sources. Applications that don't process SVG files or only use trusted SVG files are not affected.

📦 What is this software?

Tcpdf by Tcpdf Project

View all CVEs affecting Tcpdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service where the application becomes unresponsive due to CPU exhaustion, potentially affecting all users of the service.

🟠

Likely Case

Degraded performance or temporary service unavailability for users processing malicious SVG files.

🟢

If Mitigated

Minimal impact with proper input validation and resource limits in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the ability to upload or provide SVG files to the vulnerable application. The GitHub repository contains proof-of-concept exploit code.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.6.6 or later

Vendor Advisory: https://github.com/tecnickcom/TCPDF

Restart Required: No

Instructions:

1. Update TCPDF to version 6.6.6 or later
2. Replace the TCPDF library files with the patched version
3. No application restart required for PHP applications

🔧 Temporary Workarounds

Disable SVG processing

all

Prevent TCPDF from processing SVG files entirely

Modify application code to reject SVG file inputs before passing to TCPDF

Implement input validation

all

Validate SVG files before processing with TCPDF

Implement file size limits and content validation for SVG uploads

🧯 If You Can't Patch

  • Implement strict file upload restrictions for SVG files
  • Deploy rate limiting and resource monitoring to detect and block ReDoS attempts

🔍 How to Verify

Check if Vulnerable:

Check the TCPDF version in your application. If using version 6.6.5 or earlier and processing SVG files, you are vulnerable.

Check Version:

Check the TCPDF_VERSION constant in tcpdf.php or examine composer.json if installed via Composer

Verify Fix Applied:

Verify TCPDF version is 6.6.6 or later and test SVG file processing functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusually long processing times for SVG files
  • High CPU usage spikes when processing files
  • Multiple failed PDF generation attempts

Network Indicators:

  • Multiple large SVG file uploads from single source
  • Unusual patterns in file upload traffic

SIEM Query:

source="web_server" AND (uri="*.svg" OR uri="*.php" AND method="POST") AND response_time>5000

📊 Metadata

CVE ID: CVE-2024-22641
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-434
Published: May 28, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22641, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)