CVE-2024-51058 – A Local File Inclusion (LFI) vulnerability in T... (How to Fix)

Q: What is the severity of CVE-2024-51058?

CVE-2024-51058 has a CVSS score of 6.2 (MEDIUM). A Local File Inclusion (LFI) vulnerability in TCPDF 6.7.5 allows attackers to read arbitrary files from the server's file system through malicious <img> src tags in PDF generation. This can expose sensitive information like configuration files, credentials, or source code. Any application using the vulnerable TCPDF version for PDF generation is affected.

📋 TL;DR

A Local File Inclusion (LFI) vulnerability in TCPDF 6.7.5 allows attackers to read arbitrary files from the server's file system through malicious <img> src tags in PDF generation. This can expose sensitive information like configuration files, credentials, or source code. Any application using the vulnerable TCPDF version for PDF generation is affected.

💻 Affected Systems

Products:

TCPDF

Versions: 6.7.5 specifically (check commit history for other potentially affected versions)

Operating Systems: All operating systems running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where TCPDF is used to generate PDFs from user-controlled input containing <img> tags.

📦 What is this software?

Tcpdf by Tcpdf Project

View all CVEs affecting Tcpdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server file system disclosure leading to credential theft, source code exposure, and potential lateral movement within the network.

🟠

Likely Case

Sensitive file disclosure including configuration files, environment variables, and application secrets.

🟢

If Mitigated

Limited file access restricted by server permissions and file path validation.

🌐 Internet-Facing: HIGH - Web applications generating PDFs from user input are directly exploitable.

🏢 Internal Only: MEDIUM - Internal applications could still be exploited by authenticated users or through other attack vectors.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user input that gets processed through TCPDF's PDF generation with <img> tags. Public proof-of-concept available in GitHub repository.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Fixed in commit bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b and later versions

Vendor Advisory: https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b

Restart Required: No

Instructions:

1. Update TCPDF to latest version from GitHub. 2. Replace vulnerable TCPDF files with patched version. 3. Test PDF generation functionality.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Validate and sanitize all user input before passing to TCPDF, especially <img> src attributes.

Disable Image File Inclusion

all

Configure TCPDF to disallow file:// protocol in image sources if not required.

🧯 If You Can't Patch

Implement strict input validation to reject or sanitize file paths in <img> tags
Use web application firewall (WAF) rules to block LFI patterns in PDF generation requests

🔍 How to Verify

Check if Vulnerable:

Check if TCPDF version is 6.7.5 and application processes user-controlled <img> tags in PDF generation.

Check Version:

Check TCPDF version in TCPDF installation directory or composer.json

Verify Fix Applied:

Test PDF generation with malicious <img> src="file:///etc/passwd" tags - should not disclose file contents.

📡 Detection & Monitoring

Log Indicators:

Unusual file paths in PDF generation requests
Multiple failed file inclusion attempts
Large number of PDF generation requests with file:// URLs

Network Indicators:

HTTP requests containing file:// paths in POST data or parameters
Abnormal traffic patterns to PDF generation endpoints

SIEM Query:

source="web_logs" AND (uri="*generate_pdf*" OR uri="*pdf*" OR uri="*tcpdf*") AND (request_body="*file://*" OR params="*file://*")

📊 Metadata

CVE ID: CVE-2024-51058

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-552

Published: November 26, 2024

Last Updated: November 3, 2025

🔗 References

https://github.com/saravana-hackz/vulnerability-research/tree/main/CVE-2024-51058 Patch,Third Party Advisory
https://github.com/tecnickcom/TCPDF Product
https://github.com/tecnickcom/TCPDF/commit/bfa7d2b6d455ebf72ebe3d48fbd487ee5a1f6f3b Patch
https://lists.debian.org/debian-lts-announce/2025/06/msg00004.html

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51058, you might also want to check these: