CVE-2024-56520 Overview
CVE-2024-56520 affects tc-lib-pdf-font before version 2.6.4 and TCPDF before 6.8.0. The vulnerability stems from improper handling of font data, specifically the misparsing of the FontBBox value for Type 1 and TrueType fonts. Applications that accept or process untrusted font files through these libraries can trigger inconsistent parsing behavior. The flaw was addressed in tc-lib-pdf-font 2.6.4 and corresponding TCPDF releases, with Debian LTS issuing a downstream advisory in June 2025.
Critical Impact
Attackers supplying crafted Type 1 or TrueType fonts to applications using vulnerable TCPDF or tc-lib-pdf-font versions can cause input mishandling that affects confidentiality, integrity, and availability of the PDF generation workflow.
Affected Products
- tc-lib-pdf-font before 2.6.4
- TCPDF before 6.8.0
- Debian distributions shipping vulnerable TCPDF packages (per Debian LTS advisory)
Discovery Timeline
- 2024-12-27 - CVE-2024-56520 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-56520
Vulnerability Analysis
The vulnerability resides in the font import logic of tc-lib-pdf-font, used by TCPDF and other PDF generation tools. The library parses the FontBBox directive within Type 1 font definitions to derive ascent and descent metrics. The original code trimmed the matched string and split it on whitespace without normalizing the resulting tokens, then cast individual values to integers only when read. This loose parsing produced inconsistent internal state when font files contained unexpected whitespace, extra tokens, or malformed bounding-box values. The same class of mishandling extended to TrueType font processing through the addTTFfont routine in TCPDF.
Root Cause
The defect is an input validation error in font metric extraction. The FontBBox value is treated as trusted, structured input even though it originates from font files that may be attacker-controlled. Because the array elements were not validated and the bounding-box string was not normalized before storage, downstream PDF generation relied on values that did not match the parsed numeric form.
Attack Vector
An attacker delivers a crafted Type 1 or TrueType font to a server-side or client-side application that uses TCPDF or tc-lib-pdf-font to render PDF output. The attack surface includes web applications that accept user-uploaded fonts, PDF templating services that embed third-party fonts, and any pipeline that calls addTTFfont on untrusted files. No authentication or user interaction is required when the font ingestion path is exposed to network input.
// Patch in src/Import/TypeOne.php - Improved parsing of TypeOne FontBBox
$this->fdt['name'] = $name;
preg_match('#/FontBBox[\s]*+{([^}]*+)#', $this->font, $matches);
- $this->fdt['bbox'] = trim($matches[1]);
- $bvl = explode(' ', $this->fdt['bbox']);
- $this->fdt['Ascent'] = (int) $bvl[3];
- $this->fdt['Descent'] = (int) $bvl[1];
+ $rawbvl = explode(' ', trim($matches[1]));
+ $bvl = [(int) $rawbvl[0], (int) $rawbvl[1], (int) $rawbvl[2], (int) $rawbvl[3]];
+ $this->fdt['bbox'] = implode(' ', $bvl);
+ $this->fdt['Ascent'] = $bvl[3];
+ $this->fdt['Descent'] = $bvl[1];
preg_match('#/ItalicAngle[\s]*+([0-9\+\-]*+)#', $this->font, $matches);
$this->fdt['italicAngle'] = (int) $matches[1];
Source: tc-lib-pdf-font commit 30012e3. The patch normalizes each FontBBox element to an integer before assembling the bounding box and assigning Ascent and Descent.
Detection Methods for CVE-2024-56520
Indicators of Compromise
- Application logs showing PDF generation errors or font import warnings tied to addTTFfont or Type 1 font loading.
- User-uploaded .ttf, .otf, or .pfa files with malformed or unusual FontBBox directives.
- Crash reports or PHP exceptions originating from tc-lib-pdf-font import classes when processing untrusted fonts.
Detection Strategies
- Inventory PHP applications and identify dependencies on TCPDF or tc-lib-pdf-font through composer.lock files and vendor directories.
- Compare installed versions against TCPDF 6.8.0 and tc-lib-pdf-font 2.6.4 as the minimum fixed releases.
- Review code paths that pass user-supplied font files into TCPDF::addTTFfont() or related import functions.
Monitoring Recommendations
- Log all font ingestion events including source IP, filename, and file hash for upload-driven PDF generation endpoints.
- Alert on repeated PDF generation failures from a single source, which may indicate fuzzing of font parsing logic.
- Track outbound network activity from PHP workers that process untrusted fonts to detect anomalous post-exploitation behavior.
How to Mitigate CVE-2024-56520
Immediate Actions Required
- Upgrade tc-lib-pdf-font to version 2.6.4 or later.
- Upgrade TCPDF to version 6.8.0 or later in all applications and shared hosting environments.
- Apply the Debian LTS update referenced in the Debian LTS announcement for affected distributions.
- Audit application endpoints that accept font files from untrusted users and restrict them where possible.
Patch Information
The upstream fix is published in the tc-lib-pdf-font 2.6.2 to 2.6.4 comparison and incorporated into TCPDF via the TCPDF 6.7.8 to 6.8.0 comparison. The TCPDF changelog entry is recorded in commit a0a02ef and notes the addition of addTTFfont fixes ported from tc-lib-pdf-font. Refer to the TCPDF official website for downloads and release notes.
Workarounds
- Restrict font uploads to a curated allowlist of internally vetted font files.
- Reject font submissions that do not match expected MIME types and structural validation before passing them to TCPDF.
- Run PDF generation workers in isolated containers with minimal filesystem and network privileges to limit the blast radius of font parsing faults.
# Update via Composer to the fixed releases
composer require tecnickcom/tcpdf:^6.8.0
composer require tecnickcom/tc-lib-pdf-font:^2.6.4
# Debian / Ubuntu package update
sudo apt-get update
sudo apt-get install --only-upgrade libtcpdf-php
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
