CVE-2025-65875 Overview
An arbitrary file upload vulnerability exists in the AddFont() function of FPDF v1.86 and earlier versions. This security flaw allows attackers to execute arbitrary code by uploading a crafted PHP file through the vulnerable font handling mechanism. FPDF is a widely-used PHP library for generating PDF documents, making this vulnerability particularly concerning for web applications that incorporate PDF generation functionality.
Critical Impact
Successful exploitation enables remote code execution through malicious PHP file uploads, potentially compromising the entire web server and underlying infrastructure.
Affected Products
- FPDF v1.86 and earlier versions
- Applications utilizing FPDF library for PDF generation
- Web servers running vulnerable FPDF implementations
Discovery Timeline
- 2026-02-03 - CVE CVE-2025-65875 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2025-65875
Vulnerability Analysis
This vulnerability is classified as CWE-434 (Unrestricted Upload of File with Dangerous Type). The AddFont() function in FPDF fails to properly validate uploaded font files, allowing attackers to bypass intended file type restrictions. When a malicious PHP file is disguised as a font resource and processed by the vulnerable function, the attacker gains the ability to execute arbitrary PHP code on the server.
The attack is network-accessible and requires low privileges to execute. Once exploited, an attacker can achieve complete compromise of confidentiality, integrity, and availability of the affected system. This makes it particularly dangerous in shared hosting environments or applications processing user-supplied content.
Root Cause
The root cause stems from insufficient input validation in the AddFont() function. The function does not adequately verify that uploaded files are legitimate font resources before processing them. This lack of file type verification allows PHP files to be uploaded and subsequently executed when the server processes the malicious payload.
The vulnerability occurs because:
- The function accepts file paths without proper sanitization
- No content-type verification is performed on font file uploads
- The processing logic does not distinguish between legitimate font formats and executable PHP code
Attack Vector
The attack is conducted over the network and requires only low-level privileges. An attacker can craft a malicious PHP file that masquerades as a font file and submit it through any application interface that utilizes the vulnerable AddFont() function.
The exploitation process involves:
- Creating a PHP webshell or malicious script disguised with font-related naming conventions
- Uploading the crafted file through an application feature that passes data to AddFont()
- Triggering execution of the malicious PHP code, granting the attacker remote code execution capabilities
For technical implementation details, refer to the FPDF Official Website and the GitHub FPDF Repository.
Detection Methods for CVE-2025-65875
Indicators of Compromise
- Unexpected PHP files appearing in font directories or temporary upload locations
- Web server logs showing unusual requests to font-related endpoints with PHP file extensions
- New or modified files in FPDF library directories with executable permissions
- Suspicious outbound network connections originating from the web server process
Detection Strategies
- Monitor file system changes in directories used by FPDF for font storage and caching
- Implement file integrity monitoring on application directories to detect unauthorized PHP file creation
- Review web application firewall logs for attempts to upload files with PHP content signatures
- Scan application logs for calls to AddFont() with unusual or suspicious file paths
Monitoring Recommendations
- Enable detailed logging for all file upload operations in applications using FPDF
- Configure intrusion detection systems to alert on PHP file creation in non-standard directories
- Implement real-time file scanning for newly created files in web-accessible directories
- Monitor server resource utilization for anomalies that may indicate post-exploitation activity
How to Mitigate CVE-2025-65875
Immediate Actions Required
- Audit all applications using FPDF to identify vulnerable implementations
- Restrict file upload capabilities and implement strict input validation on font file handling
- Apply the principle of least privilege to web server processes handling FPDF operations
- Consider temporarily disabling custom font functionality until patches are applied
Patch Information
Organizations should monitor the FPDF Official Website and GitHub FPDF Repository for security updates addressing this vulnerability. Review the GitLab Advisory for related guidance on PDF font library vulnerabilities.
Until an official patch is released, implementing compensating controls is essential for protecting vulnerable installations.
Workarounds
- Implement strict file type validation that verifies file contents match expected font formats before processing
- Use allowlisting to restrict font file sources to trusted, predefined locations only
- Deploy web application firewall rules to block requests containing PHP code signatures in font upload parameters
- Isolate FPDF processing in a sandboxed environment with minimal system privileges
# Configuration example
# Restrict file permissions on FPDF directories
chmod 750 /path/to/fpdf/font/
chown www-data:www-data /path/to/fpdf/font/
# Disable PHP execution in font directories (Apache)
# Add to .htaccess in font directory
# php_flag engine off
# For Nginx, add to server configuration
# location ~* /font/.*\.php$ { deny all; }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
