Cyber Resilience

CVE-2025-65875

High

Published: 03 February 2026

Published
03 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0040 31.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-65875 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Fpdf Fpdf. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-65875 is an arbitrary file upload vulnerability in the AddFont() function of FPDF version 1.86 and earlier. This issue, associated with CWE-434 (Unrestricted Upload of File with Dangerous Type), enables attackers to execute arbitrary code by uploading a crafted PHP file. The vulnerability was published on 2026-02-03 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation allows arbitrary code execution on the affected system, leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) within the unchanged scope (S:U).

Advisories and related resources, including those at http://www.fpdf.org, https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/, and https://github.com/Setasign/FPDF, provide further details on the issue for FPDF and associated libraries. Security practitioners should review these references for recommended mitigations, such as upgrading to patched versions where available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Arbitrary PHP file upload (CWE-434) in a web library directly enables remote exploitation of public-facing apps (T1190) and deployment of web shells for code execution (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22654Shared CWE-434
CVE-2025-11948Shared CWE-434
CVE-2025-67260Shared CWE-434
CVE-2025-28915Shared CWE-434
CVE-2023-53956Shared CWE-434
CVE-2025-6058Shared CWE-434
CVE-2021-47819Shared CWE-434
CVE-2025-7852Shared CWE-434
CVE-2026-4883Shared CWE-434
CVE-2019-25630Shared CWE-434

Affected Assets

fpdf
fpdf
1.8.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly addressing this CVE by upgrading FPDF to patched versions that fix the arbitrary PHP file upload in AddFont().

prevent

SI-10 enforces information input validation, preventing attackers from uploading crafted PHP files via the vulnerable AddFont() function.

prevent

SI-9 restricts information inputs to authorized types, blocking unrestricted uploads of dangerous PHP files to the FPDF AddFont() function.

References