Debian 11: DLA-4199-1 critical: tcpdf denial of service issues
debian lts
June 3, 2025
Multiple security issues were discovered in TCPDF, a PHP class for generating PDF files on-the-fly, which may result in denial of service, cross-site scripting or information discl...
Summary
CVE-2024-22640
ReDoS (Regular Expression Denial of Service) if parsing an untrusted HTML
page with a crafted color.
CVE-2024-22641
ReDoS (Regular Expression Denial of Service) when parsing a specially
crafted SVG file.
CVE-2024-32489
TCPDF mishandles calls that use HTML syntax.
CVE-2024-51058
Local File Inclusion (LFI) vulnerability through the src tag.
CVE-2024-56519
setSVGStyles does not sanitize the SVG font-family attribute.
CVE-2024-56520
TCPDF, throught its use of tc-lib-pdf-font, mishandles fonts like FontBBox
for Type 1 and misparses TrueType fonts.
CVE-2024-56522
The unserializeTCPDFtag() function doesn't make use of constant-time
function to compare TCPDF tag hashes.
CVE-2024-56527
The Error() function lacks an htmlspecialchars call for the error message.
For Debian 11 bullseye, these problems have been fixed in version
6.3.5+dfsg1-1+deb11u1.
We recommend that you upgrade your tcpdf packages.
For the detailed security status of tcpdf please refer to
PREVIOUS 
NEXT Severity
critical
Lowest
Low
Medium
High
Critical
Package: tcpdf
Version: 6.3.5+dfsg1-1+deb11u1
CVE ID: CVE-2024-22640 CVE-2024-22641 CVE-2024-32489 CVE-2024-51058
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!