CVE-2025-65875 – This CVE describes an arbitrary file upload vul... (How to Fix)

Q: What is the severity of CVE-2025-65875?

CVE-2025-65875 has a CVSS score of 8.8 (HIGH). This CVE describes an arbitrary file upload vulnerability in FPDF's AddFont() function that allows attackers to upload malicious PHP files. Successful exploitation could lead to remote code execution on affected systems. Organizations using FPDF v1.86 or earlier for PDF generation with font handling capabilities are at risk.

📋 TL;DR

This CVE describes an arbitrary file upload vulnerability in FPDF's AddFont() function that allows attackers to upload malicious PHP files. Successful exploitation could lead to remote code execution on affected systems. Organizations using FPDF v1.86 or earlier for PDF generation with font handling capabilities are at risk.

💻 Affected Systems

Products:

FPDF

Versions: v1.86 and earlier

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects implementations using the AddFont() function with insufficient file upload validation.

📦 What is this software?

Fpdf by Fpdf

View all CVEs affecting Fpdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the web server, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Web server compromise leading to defacement, data theft, or deployment of additional malware payloads.

🟢

If Mitigated

Attack blocked at web application firewall level or file upload validation prevents malicious file execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires ability to upload files to the AddFont() function endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v1.87 or later

Vendor Advisory: http://www.fpdf.org

Restart Required: No

Instructions:

1. Update FPDF to version 1.87 or later. 2. Replace the FPDF library files in your application. 3. Test PDF generation functionality.

🔧 Temporary Workarounds

Implement file upload validation

all

Add server-side validation to restrict uploaded files to specific font formats only

Disable AddFont() functionality

all

Remove or disable the AddFont() function if not required

🧯 If You Can't Patch

Implement strict file upload validation allowing only .ttf, .otf, and .pfb font files
Deploy web application firewall rules to block PHP file uploads to the affected endpoint

🔍 How to Verify

Check if Vulnerable:

Check if your application uses FPDF version 1.86 or earlier and has the AddFont() function enabled.

Check Version:

Check the fpdf.php file header for version information or use composer show tecnickcom/tcpdf

Verify Fix Applied:

Verify FPDF version is 1.87 or later and test that PHP file uploads to AddFont() endpoint are rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to AddFont endpoint
PHP file upload attempts with font-related filenames
Web server error logs showing file permission issues

Network Indicators:

POST requests to AddFont endpoints with PHP file content
Unusual outbound connections from web server after file upload

SIEM Query:

source="web_server" AND (uri="*AddFont*" OR uri="*addfont*") AND (file_extension="php" OR file_extension="phtml")

📊 Metadata

CVE ID: CVE-2025-65875

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

EPSS Score: 0.06% exploit probability (19.7th percentile)

Published: February 3, 2026

Last Updated: February 11, 2026

🔗 References

http://www.fpdf.org Product
https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ Third Party Advisory
https://github.com/Setasign/FPDF Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65875, you might also want to check these: