CVE-2025-65875 is an arbitrary file upload vulnerability identified in the AddFont() function of FPDF, a widely used PHP library for generating PDF documents. Versions 1.86 and earlier are affected. The vulnerability allows an attacker with low privileges to upload a malicious PHP file by exploiting insufficient validation in the AddFont() function. This uploaded file can then be executed on the server, leading to remote code execution (RCE). The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with an attack vector that is network-based and does not require user interaction. The vulnerability does not require authentication, making it easier for attackers to exploit. Although no known exploits are currently reported in the wild, the lack of patches or mitigation guidance increases the risk. The flaw arises from improper handling of font file uploads, where the system fails to restrict file types or sanitize file names, allowing PHP code injection. This can lead to full system compromise, data theft, or disruption of services relying on FPDF for PDF generation. Organizations embedding FPDF in web applications or document workflows should consider this vulnerability critical and prioritize remediation.

For European organizations, the impact of CVE-2025-65875 can be severe. Many enterprises, government agencies, and service providers use FPDF or derivative tools for generating PDF documents dynamically. Exploitation could lead to unauthorized remote code execution on critical servers, resulting in data breaches, loss of sensitive information, and potential disruption of business operations. This is particularly concerning for sectors handling personal data under GDPR, as breaches could lead to regulatory penalties. The vulnerability's ease of exploitation (no authentication or user interaction required) increases the risk of automated attacks and widespread compromise. Additionally, compromised servers could be used as pivot points for lateral movement within networks, amplifying the damage. The absence of patches or official fixes at this time means organizations must rely on compensating controls to reduce exposure. The threat is heightened for organizations with public-facing web applications that integrate FPDF for document generation, especially if upload functionalities are exposed.

1. Immediately audit all systems and applications using FPDF version 1.86 or earlier to identify vulnerable instances. 2. Restrict file upload permissions to trusted users and directories with no execute permissions. 3. Implement strict server-side validation to block upload of executable files, especially PHP scripts, by checking MIME types and file extensions. 4. Use web application firewalls (WAFs) to detect and block suspicious file upload attempts targeting the AddFont() function or related endpoints. 5. Isolate PDF generation services in segregated environments with minimal privileges to limit potential damage. 6. Monitor logs for unusual file uploads or execution attempts related to font files. 7. Engage with FPDF maintainers or community to obtain patches or updates as soon as they become available and plan prompt deployment. 8. Consider temporary disabling or restricting the AddFont() functionality if feasible until a fix is released. 9. Educate developers and administrators on secure file handling practices and the risks of arbitrary file uploads. 10. Conduct penetration testing focused on file upload vectors to validate the effectiveness of mitigations.