CVE-2025-65875
Published: 03 February 2026
Summary
CVE-2025-65875 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fpdf Fpdf. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-65875 is an arbitrary file upload vulnerability in the AddFont() function of FPDF version 1.86 and earlier. This issue, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to execute arbitrary code by uploading a crafted PHP file. The vulnerability was published on 2026-02-03 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows arbitrary code execution on the affected system, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).
Advisories and related resources, including those at http://www.fpdf.org, https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/, and https://github.com/Setasign/FPDF, provide further details on the issue for FPDF and associated libraries. Security practitioners should review these references for recommended mitigations, such as upgrading to patched versions where available.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-206725
Vulnerability details
An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary PHP file upload (CWE-434) in a web library directly enables remote exploitation of public-facing apps (T1190) and deployment of web shells for code execution (T1505.003).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely flaw remediation, directly addressing this CVE by upgrading FPDF to patched versions that fix the arbitrary PHP file upload in AddFont().
SI-10 enforces information input validation, preventing attackers from uploading crafted PHP files via the vulnerable AddFont() function.
SI-9 restricts information inputs to authorized types, blocking unrestricted uploads of dangerous PHP files to the FPDF AddFont() function.