CVE-2024-56519 Overview
CVE-2024-56519 is a cross-site scripting (XSS) vulnerability [CWE-79] in TCPDF, a widely used PHP library for generating PDF documents. The flaw exists in the setSVGStyles function, which fails to sanitize the SVG font-family attribute before processing. Attackers can inject malicious content through crafted SVG input embedded in documents processed by the library. The issue affects all TCPDF versions before 6.8.0 and was fixed by routing the attribute through the getFontFamilyName sanitization helper.
Critical Impact
Unsanitized SVG font-family attributes allow attackers to inject content into generated PDFs, potentially leading to script execution or data exposure in downstream renderers.
Affected Products
- TCPDF versions prior to 6.8.0
- Applications embedding TCPDF for SVG-to-PDF conversion
- Debian LTS distributions packaging vulnerable TCPDF releases
Discovery Timeline
- 2024-12-27 - CVE-2024-56519 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-56519
Vulnerability Analysis
The vulnerability resides in TCPDF's SVG processing logic. The setSVGStyles method accepts style attributes from SVG input and applies them to the PDF rendering pipeline. When the font-family attribute appears outside of a combined font shorthand, the original code assigned its value directly without sanitization. This allowed attacker-controlled SVG content to introduce malicious payloads through the styling path.
TCPDF is commonly embedded in web applications that generate invoices, reports, and certificates from user-supplied data. When such applications accept SVG input or HTML containing SVG, the vulnerability becomes reachable over the network without authentication. The fix routes the attribute through getFontFamilyName, the same sanitization helper already used for the shorthand font property.
Root Cause
The root cause is inconsistent input sanitization between two code paths in the same function. Values parsed from the font shorthand were sanitized via getFontFamilyName, while standalone font-family values were assigned directly from $svgstyle['font-family']. This asymmetric handling left a bypass for unsanitized SVG content.
Attack Vector
An attacker supplies SVG markup containing a crafted font-family attribute to an application that uses TCPDF for PDF generation. The malicious value flows through setSVGStyles into the rendered document. Exploitation requires no authentication and no user interaction beyond submitting the SVG payload.
// Security patch in tcpdf.php - Sanitize font-family attribute
if (preg_match('/font-family[\s]*:[\s]*([^\;\"]*)/si', $svgstyle['font'], $regs)) {
$font_family = $this->getFontFamilyName($regs[1]);
} else {
- $font_family = $svgstyle['font-family'];
+ $font_family = $this->getFontFamilyName($svgstyle['font-family']);
}
if (preg_match('/font-size[\s]*:[\s]*([^\s\;\"]*)/si', $svgstyle['font'], $regs)) {
$font_size = trim($regs[1]);
Source: GitHub TCPDF Commit c9f41cb
Detection Methods for CVE-2024-56519
Indicators of Compromise
- SVG files or HTML payloads containing unusual font-family values with embedded special characters, quotes, or script-like tokens
- PDF generation logs showing TCPDF processing of user-supplied SVG with malformed style attributes
- TCPDF library versions earlier than 6.8.0 present in application dependency manifests such as composer.lock
Detection Strategies
- Inventory all PHP applications and identify TCPDF versions via composer show tecnickcom/tcpdf or direct inspection of tcpdf.php
- Inspect application input flows for endpoints that accept SVG, HTML, or rich text data subsequently passed to writeHTML or ImageSVG
- Review web application firewall (WAF) logs for SVG payloads containing suspicious font-family declarations
Monitoring Recommendations
- Alert on outbound traffic from PDF generation services to unexpected hosts, which may indicate successful payload execution
- Track file uploads of .svg and .html artifacts processed by TCPDF-backed services
- Monitor patch status of third-party PHP libraries through software composition analysis (SCA) tooling
How to Mitigate CVE-2024-56519
Immediate Actions Required
- Upgrade TCPDF to version 6.8.0 or later across all production and development environments
- Apply the Debian LTS update referenced in the Debian LTS Announcement for affected distributions
- Audit application code for direct calls to writeHTML, ImageSVG, and related TCPDF entry points that accept untrusted input
Patch Information
The vendor fix is included in TCPDF 6.8.0. The patch routes the SVG font-family attribute through the existing getFontFamilyName sanitization function. Review the full change set in the TCPDF 6.7.8 to 6.8.0 comparison and the specific security commit c9f41cb.
Workarounds
- Strip or sanitize SVG font-family attributes from user input before passing content to TCPDF
- Restrict SVG input to a server-side allowlist of trusted font names if upgrading is not immediately feasible
- Disable SVG processing in TCPDF-backed endpoints when business requirements permit
# Verify and update TCPDF via Composer
composer show tecnickcom/tcpdf
composer require tecnickcom/tcpdf:^6.8.0
composer update tecnickcom/tcpdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
