CVE-2024-25885 Overview
CVE-2024-25885 is a Regular Expression Denial of Service (ReDoS) vulnerability in the getcolor function located in utils.py of xhtml2pdf version 0.2.13. Attackers exploit the flaw by supplying a crafted input string that triggers catastrophic backtracking in a vulnerable regular expression. The condition results in excessive CPU consumption and service disruption for applications processing untrusted HTML or CSS input through xhtml2pdf. The weakness is tracked as [CWE-1333] Inefficient Regular Expression Complexity.
Critical Impact
Remote attackers can degrade or disable PDF generation services by submitting a single crafted color string, exhausting CPU resources without authentication.
Affected Products
- xhtml2pdf v0.2.13
- Python applications embedding xhtml2pdf for HTML-to-PDF conversion
- Web services accepting user-supplied HTML or CSS rendered through xhtml2pdf
Discovery Timeline
- 2024-10-08 - CVE-2024-25885 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-25885
Vulnerability Analysis
The vulnerability resides in the getcolor function inside utils.py of the xhtml2pdf library. The function parses color values supplied through HTML or CSS using a regular expression that contains ambiguous quantifiers. When an attacker submits a specially crafted string, the regex engine enters catastrophic backtracking and consumes CPU time that grows non-linearly with input length. A single request can monopolize a worker process and stall additional PDF rendering tasks. Services that expose xhtml2pdf to untrusted input, such as report generators, invoicing systems, and document export endpoints, are directly exposed.
Root Cause
The root cause is an inefficient regular expression used to validate or extract color values. The pattern allows multiple ways to match the same substring, leading to exponential backtracking on malformed inputs. This class of defect is catalogued as [CWE-1333] Inefficient Regular Expression Complexity.
Attack Vector
Exploitation requires only network access to an application that forwards user-controlled HTML or CSS into xhtml2pdf. No authentication or user interaction is needed. The attacker submits a request containing a crafted color value, and the server-side regex evaluation consumes CPU until a timeout or worker exhaustion occurs. Repeated requests amplify the impact and produce a denial-of-service condition across the rendering service.
A proof-of-concept demonstrating the trigger string is published as a GitHub Gist Example.
Detection Methods for CVE-2024-25885
Indicators of Compromise
- Sustained high CPU usage in Python worker processes hosting xhtml2pdf without a corresponding increase in successful PDF generations.
- Application logs showing request timeouts during HTML or CSS parsing inside utils.py.
- HTTP requests containing unusually long or repetitive color strings in style attributes or CSS payloads.
Detection Strategies
- Inventory Python environments and identify deployments of xhtml2pdf 0.2.13 or earlier using package manifests such as pip freeze or SBOM data.
- Inspect web application firewall logs for requests carrying anomalous color tokens within style attributes or <style> blocks.
- Correlate process CPU spikes with concurrent inbound requests to PDF generation endpoints.
Monitoring Recommendations
- Set per-request CPU and wall-clock timeouts on workers invoking xhtml2pdf to bound the impact of ReDoS attempts.
- Alert on worker processes exceeding baseline CPU duration thresholds during HTML rendering.
- Track repeated 5xx responses or timeouts on PDF export endpoints from the same source address.
How to Mitigate CVE-2024-25885
Immediate Actions Required
- Upgrade xhtml2pdf to a version later than 0.2.13 that addresses the getcolor regex flaw.
- Apply strict input validation on HTML and CSS content before passing it to xhtml2pdf, rejecting overly long color tokens.
- Enforce request-level CPU and execution timeouts on PDF rendering workers.
Patch Information
Review the project repository and release notes referenced via the XHTML2PDF Resource Page for fixed versions. Upgrade through pip install --upgrade xhtml2pdf and verify the installed version after deployment.
Workarounds
- Sanitize or strip CSS color attributes from untrusted HTML before invoking xhtml2pdf.
- Run PDF generation in an isolated process with cgroup-based CPU limits or container resource caps.
- Place a web application firewall rule that blocks requests with abnormally long or recursive color token patterns.
# Upgrade xhtml2pdf and verify the installed version
pip install --upgrade xhtml2pdf
python -c "import xhtml2pdf; print(xhtml2pdf.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
