Login Sign Up

CVE-2021-31451

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Foxit Reader allows remote attackers to execute arbitrary code by tricking users into opening malicious PDF files or visiting malicious web pages. The flaw exists in how Annotation objects are handled, enabling attackers to run code with the same privileges as the current user. Users of affected Foxit Reader versions are at risk.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 10.1.1.37576 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious file or visiting malicious page).

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Malware installation or data theft through targeted phishing campaigns using malicious PDF attachments.

🟢

If Mitigated

Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious content is delivered. ZDI-CAN-13089 reference indicates professional research.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.2 or later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website
2. Run installer to update
3. Restart computer after installation

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents execution of malicious scripts that could trigger the vulnerability

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Use Protected View

all

Open PDFs in restricted mode to limit potential damage

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Enable Safe Reading Mode'

🧯 If You Can't Patch

  • Use alternative PDF readers that are not vulnerable
  • Block PDF files from untrusted sources at email/web gateways

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 10.1.1.37576 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 10.1.2 or later in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs with memory access violations
  • Unexpected child processes spawned from Foxit Reader

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections from Foxit Reader to unknown IPs

SIEM Query:

process_name:"FoxitReader.exe" AND (event_type:"process_creation" OR event_type:"crash")

📊 Metadata

CVE ID: CVE-2021-31451
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-416
Published: May 7, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31451, you might also want to check these:

CVE-2025-24085 10.0

This CVE describes a use-after-free vulnerability (CWE-416) in Apple operating systems that allows m...

Same vulnerability type (CWE-416)
CVE-2024-43102 10.0

This CVE describes a use-after-free vulnerability in FreeBSD's umtx (user mutex) subsystem where con...

Same vulnerability type (CWE-416)
CVE-2021-33796 10.0

CVE-2021-33796 is a use-after-free vulnerability in MuJS's regexp source property access that can le...

Same vulnerability type (CWE-416)