Contrib.social

Security vulnerability in FPDI

Open on Drupal.org →
Created on 12 August 2025, 7 days ago

Problem motivation

A security vulnerability has been reported with versions of FPDI <2.6.4

"This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process
user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause
the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained
service unavailability."

Proposed resolution

Require "setasign/fpdi": "^2.6.4" in composer.json

Remaining tasks

Commit change and release.

User interface changes

None

API changes

None

Data model changes

None

📌 Task
Status

Active

Version

3.0

Component

Code

Created by

🇬🇧United Kingdom stevewilson

Live updates comments and jobs are added and updated live.
  • Security

    It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Comments & Activities

  • Issue created by @stevewilson
  • First commit to issue fork.
  • @immaculatexavier opened merge request.
  • Comment 6 days ago
    🇮🇳India immaculatexavier
  • Comment 6 days ago
    🇬🇧United Kingdom stevewilson

    Having updated FPDI to v2.6.4 (and TCPDF to v6.10.0) PDF creation on my site appears to work as before so, for me, this looks good to go. Over to a maintainer to commit or seek further testing if deemed necessary.

  • Comment 6 days ago
    🇮🇳India vinodhini.e chennai

    Hi, I have updated composer.json to require "setasign/fpdi": "^2.6.4" and ran composer update.
    I tested the Views PDF functionality locally on Drupal 10.5.1, and the memory exhaustion / DoS issue is no longer observed.
    The patch successfully resolves the reported vulnerability.

    Thanks.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024