The FPDF library contains a critical arbitrary file upload vulnerability that could allow an attacker to achieve remote code execution (RCE) on the host server.

This vulnerability is located in the AddFont() function of FPDF v1. It allows for arbitrary file uploads, which can be exploited by an attacker to place a malicious script (such as a PHP web shell) on the server, typically without requiring authentication.

An arbitrary file upload vulnerability is one of the most dangerous flaws, as it directly enables Remote Code Execution (RCE). With a CVSS score of 8.8, a successful exploit would give an attacker full control over the web server, leading to data breaches, site defacement, and potential lateral movement into the internal network.

Immediate Action: Update the FPDF library to a version that includes a fix for the AddFont() function. If an update is not available, modify the code to strictly validate font file types and destinations.

Proactive Monitoring: Search the server for unexpected files in directories used by the FPDF library and monitor for execution of scripts in those directories.

Compensating Controls: Configure the web server to prevent the execution of PHP or other scripts in the directories where FPDF stores uploaded or generated files.

Public Exploit Available: false

The critical nature of this vulnerability requires immediate action. Developers should update the FPDF library across all projects and ensure that file upload security best practices are strictly enforced to prevent RCE.