CVE-2024-51058 is a Local File Inclusion (LFI) vulnerability identified in TCPDF version 6.7.5, a widely used PHP library for generating PDF documents. The vulnerability arises from insufficient validation of the <img> src attribute, which can be manipulated by an attacker to include arbitrary files from the server's filesystem. This flaw enables attackers to read sensitive files such as configuration files, credentials, or other private data, potentially leading to information disclosure. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score of 6.2 reflects a medium severity, with the attack vector being local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:H), with no integrity or availability effects. No patches or fixes are currently linked, and no known exploits have been reported in the wild, suggesting the vulnerability is newly disclosed. The CWE-552 classification indicates exposure of sensitive information through improper file inclusion. This vulnerability is particularly relevant for web applications that dynamically generate PDFs and accept user input for image sources without proper sanitization.

For European organizations, the primary impact is unauthorized disclosure of sensitive information stored on servers running vulnerable TCPDF 6.7.5 instances. This can include configuration files, credentials, or other private data, potentially leading to further compromise if attackers leverage exposed information. Confidentiality breaches can damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR), and cause financial losses. Since TCPDF is commonly used in PHP-based web applications for document generation, sectors such as finance, healthcare, and government that rely on PDF reports or document automation are at higher risk. The lack of required privileges or user interaction means attackers can exploit this vulnerability remotely if they have local access or can influence the <img> src inputs, increasing the attack surface. Although no integrity or availability impacts are reported, the exposure of sensitive data alone warrants prompt attention.

1. Apply patches or updates from the TCPDF project once available to address CVE-2024-51058. 2. Until a patch is released, implement strict input validation and sanitization on all user-supplied data used in <img> src attributes within PDF generation workflows to prevent inclusion of arbitrary file paths. 3. Employ allowlisting for image sources, restricting inputs to trusted directories or URLs. 4. Use web application firewalls (WAFs) to detect and block suspicious requests attempting to exploit LFI patterns. 5. Conduct code reviews and security testing focusing on file inclusion and path traversal vulnerabilities in PDF generation modules. 6. Monitor logs for unusual file access patterns or errors related to file inclusion attempts. 7. Limit file system permissions of the web server process to minimize accessible files, reducing potential data exposure. 8. Educate developers on secure coding practices regarding file handling and user input.