Vulnerability DatabaseCVE-2024-22641

CVE-2024-22641:
Linux Debian vulnerability analysis and mitigation

Overview

TCPDF version 6.6.5 and earlier versions are vulnerable to a Regular Expression Denial of Service (ReDoS) vulnerability when parsing untrusted SVG files. The vulnerability is tracked as CVE-2024-22641 and was discovered in early 2024 (NVD).

Technical details

The vulnerability occurs during the SVG file parsing process in TCPDF. When processing untrusted SVG files, the application's regular expression pattern matching can be exploited to trigger excessive backtracking, leading to a ReDoS condition. This is confirmed by checking with preg_last_error() after the vulnerable code execution, which returns PREG_BACKTRACK_LIMIT_ERROR (GitHub POC). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

Impact

When exploited, this vulnerability can cause a denial of service condition through excessive resource consumption during SVG file parsing. The attack specifically targets the application's regular expression processing capabilities, potentially making the service unresponsive (GitHub POC).

Mitigation and workarounds

The vulnerability has been fixed in versions after 6.6.5. Users are advised to upgrade to the latest version of TCPDF to mitigate this security issue (NVD).

Additional resources

Source: This report was generated using AI

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

7.5

Score

Published May 28, 2024

Severity HIGH

CNA Score 7.5

Affected Technologies

Linux Debian
Linux Fedora

Has Public Exploit Yes

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 92.9

Exploitation Probability (EPSS) 9.7

Affected packages and libraries

php-tcpdf-gnu-free-sans-fonts
php-tcpdf-gnu-free-serif-fonts

Sources

NVD
Debian Security Tracker
- Debian 11, 12, 13 Severity HIGHHas FixAdded at: May 30, 2024
- Debian 14 Severity HIGHHas FixAdded at: Aug 10, 2025
Echo
- Echo Severity HIGHHas FixAdded at: Nov 18, 2025

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related Linux Debian vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-33986	HIGH	7.5	Wolfi	freerdp2	No	Yes	Mar 30, 2026
CVE-2026-33987	HIGH	7.1	Wolfi	freerdp2	No	Yes	Mar 30, 2026
CVE-2026-33995	MEDIUM	5.3	Wolfi	libwinpr	No	Yes	Mar 30, 2026
CVE-2026-34881	MEDIUM	5	Linux Debian	glance	No	Yes	Mar 31, 2026
CVE-2026-33691	N/A	N/A	Linux Debian	modsecurity-crs	No	No	Mar 31, 2026

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

A threat intelligence database

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."

David EstlickCISO

"Wiz provides a single pane of glass to see what is going on in our cloud environments."

Adam FletcherChief Security Officer

"We know that if Wiz identifies something as critical, it actually is."

Greg PoniatowskiHead of Threat and Vulnerability Management

Get a demo

CVE-2024-22641: Linux Debian vulnerability analysis and mitigation