CVE-2025-65875 is an arbitrary file upload vulnerability identified in the AddFont() function of the FPDF library version 1.86 and earlier. FPDF is a widely used PHP library for generating PDF documents dynamically. The vulnerability arises because the AddFont() function improperly handles font file uploads, allowing an attacker to upload a maliciously crafted PHP file disguised as a font file. Since the uploaded file can be executed on the server, this leads to remote code execution (RCE) without requiring user interaction. The CVSS v3.1 score of 8.8 reflects the high severity, with an attack vector over the network (AV:N), low attack complexity (AC:L), no user interaction (UI:N), and requiring only low privileges (PR:L). The vulnerability affects confidentiality, integrity, and availability by enabling arbitrary code execution, potentially allowing attackers to take full control of the affected server. Although no known exploits are currently reported in the wild, the lack of patches and the critical nature of the vulnerability make it a significant threat. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type), indicating improper validation of uploaded files. Since FPDF is commonly integrated into web applications for PDF generation, any web-facing application using vulnerable versions is at risk. The absence of official patches necessitates immediate mitigation through configuration changes and monitoring.

For European organizations, the impact of CVE-2025-65875 can be severe. Organizations using FPDF in web applications—especially those generating PDFs dynamically—may face remote code execution attacks, leading to full system compromise. This can result in data breaches, unauthorized access to sensitive information, disruption of services, and potential lateral movement within networks. Sectors such as finance, government, healthcare, and digital services that rely on PDF generation are particularly vulnerable. The vulnerability's exploitation could undermine trust in digital services and lead to regulatory penalties under GDPR if personal data is compromised. Additionally, the ability to execute arbitrary code remotely without user interaction increases the risk of automated exploitation campaigns targeting vulnerable European infrastructure. The lack of patches and the ease of exploitation heighten the urgency for European organizations to assess their exposure and implement mitigations promptly.

Since no official patches are currently available, European organizations should implement the following specific mitigations: 1) Immediately audit all web applications using FPDF to identify vulnerable versions (v1.86 and earlier). 2) Restrict file upload permissions and disable font uploads where not strictly necessary. 3) Implement strict server-side validation to verify the file type and reject any non-font or executable files. 4) Use web application firewalls (WAFs) to detect and block attempts to upload PHP or other executable files disguised as fonts. 5) Monitor web server logs and file upload directories for suspicious activity or unexpected file types. 6) Consider isolating PDF generation services in segmented environments with minimal privileges to limit potential damage. 7) Prepare to update or patch FPDF immediately once a fix is released. 8) Educate developers about secure file handling practices to prevent similar vulnerabilities. These steps go beyond generic advice by focusing on the specific attack vector and the nature of the vulnerable function.