Is setasign/fpdi affected by CVE-2025-54869?

Packagist setasign/fpdi is affected in <2.6.4.

Is CVE-2025-54869 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

medium

CVE-2025-54869

Q: Is CVE-2025-54869 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.3%.

Packagist · setasign/fpdi

Summary

FPDI allows Memory Exhaustion (OOM) in PDF Parser which leads to Denial of Service

Severity: medium
EPSS: 0.3% (p19)
Also known as: GHSA-jxhh-4648-vpp3
Published: 2025-08-05

References

https://github.com/Setasign/FPDI/security/advisories/GHSA-jxhh-4648-vpp3
https://nvd.nist.gov/vuln/detail/CVE-2025-54869
https://github.com/Setasign/FPDI/commit/ba671ba9221cffd32c2dda87316c19f522a1c5f0

Related advisories

CVE-2026-45802 — medium · Packagist/setasign/fpdi

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.