Headline
GHSA-jxhh-4648-vpp3: FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of Service
Impact
This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained service unavailability.
Patches
Fixed as of version 2.6.4
Workarounds
No.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-54869
FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of Service
Moderate severity GitHub Reviewed Published Aug 5, 2025 in Setasign/FPDI • Updated Aug 5, 2025
Package
composer setasign/fpdi (Composer)
Affected versions
< 2.6.4
Impact
This is a significant Denial of Service (DoS) vulnerability. Any application that uses FPDI to process
user-supplied PDF files is at risk. An attacker can upload a small, malicious PDF file that will cause
the server-side script to crash due to memory exhaustion. Repeated attacks can lead to sustained
service unavailability.
Patches
Fixed as of version 2.6.4
Workarounds
No.
References
- GHSA-jxhh-4648-vpp3
- Setasign/FPDI@ba671ba
Published to the GitHub Advisory Database
Aug 5, 2025