Login Sign Up

CVE-2021-29475

10.0 CRITICAL

📋 TL;DR

CVE-2021-29475 is a critical file disclosure vulnerability in HedgeDoc (formerly CodiMD) where attackers can read arbitrary files from the filesystem when exporting notes to PDF. This affects all HedgeDoc instances with PDF export enabled, requiring the attacker to have note modification privileges. The vulnerability allows exfiltration of sensitive configuration files containing credentials and secrets.

💻 Affected Systems

Products:
  • HedgeDoc
  • CodiMD
Versions: All versions before 1.5.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances with PDF export enabled (enabled by default in affected versions).

📦 What is this software?

Hedgedoc by Hedgedoc

View all CVEs affecting Hedgedoc →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the HedgeDoc instance with theft of database credentials, OAuth secrets, and other sensitive files from the server filesystem, potentially leading to further system compromise.

🟠

Likely Case

Exfiltration of the config.json file containing database credentials and application secrets, enabling unauthorized access to the HedgeDoc database and potentially other systems using the same credentials.

🟢

If Mitigated

No file disclosure if PDF export is disabled or the system is patched, though other vulnerabilities in the application could still pose risks.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires ability to modify note content and PDF export to be enabled. The advisory includes technical details of the exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.5.0

Vendor Advisory: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-pxxg-px9v-6qf3

Restart Required: Yes

Instructions:

1. Upgrade HedgeDoc to version 1.5.0 or later. 2. Restart the HedgeDoc service. 3. Verify PDF export functionality if needed for your use case.

🔧 Temporary Workarounds

Disable PDF Export

all

Disable PDF export functionality to prevent exploitation of this vulnerability

CMD_ALLOW_PDF_EXPORT=false

Configuration File Modification

all

Set allowPDFExport to false in config.json

Set "allowPDFExport": false in config.json

🧯 If You Can't Patch

  • Immediately disable PDF export via environment variable or configuration file
  • Restrict note editing permissions to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check if HedgeDoc version is below 1.5.0 and PDF export is enabled in configuration or environment variables.

Check Version:

Check the HedgeDoc web interface footer or application logs for version information

Verify Fix Applied:

Verify HedgeDoc version is 1.5.0 or higher and test that PDF export either works securely or is disabled as intended.

📡 Detection & Monitoring

Log Indicators:

  • Unusual PDF export requests, especially with file:// URLs in note content
  • Multiple failed PDF generation attempts

Network Indicators:

  • Unexpected outbound data transfers following PDF export operations

SIEM Query:

source="hedgedoc" AND ("pdf export" OR "phantomjs") AND ("file://" OR "config.json")

📊 Metadata

CVE ID: CVE-2021-29475
CVSS v3 Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
CWE: CWE-94
Published: April 26, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29475, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)