Login Sign Up

CVE-2021-31473

7.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2021-31473 is a remote code execution vulnerability in Foxit Reader's browseForDoc function. Attackers can exploit it by tricking users into opening malicious PDF files or visiting malicious web pages, allowing arbitrary code execution in the context of the current process. This affects users of vulnerable Foxit Reader versions.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 10.1.3.37598 and earlier versions
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations of affected versions are vulnerable. User interaction required (opening malicious file or visiting malicious page).

📦 What is this software?

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Phantompdf by Foxitsoftware

View all CVEs affecting Phantompdf →

Reader by Foxitsoftware

View all CVEs affecting Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary code execution with the same privileges as the user running Foxit Reader, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation, credential theft, or data exfiltration through crafted PDF documents or web pages.

🟢

If Mitigated

Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires user interaction but is straightforward once malicious content is delivered. ZDI published advisory with technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.1.4.37651 and later

Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system if prompted. 4. Verify version is 10.1.4.37651 or higher.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript-based exploitation vectors

Open Foxit Reader > File > Preferences > Trust Manager > Uncheck 'Enable JavaScript'

Use Protected View

all

Opens documents in restricted mode

Open Foxit Reader > File > Preferences > Trust Manager > Check 'Safe Reading Mode'

🧯 If You Can't Patch

  • Uninstall Foxit Reader and use alternative PDF viewers
  • Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 10.1.3.37598 or earlier, system is vulnerable.

Check Version:

On Windows: wmic product where name="Foxit Reader" get version

Verify Fix Applied:

Verify version is 10.1.4.37651 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Process creation events from Foxit Reader with unusual command-line arguments
  • Crash reports from Foxit Reader

Network Indicators:

  • Downloads of PDF files from untrusted sources
  • HTTP requests to suspicious domains following PDF opening

SIEM Query:

source="*foxit*" AND (event_type="process_creation" OR event_type="crash")

📊 Metadata

CVE ID: CVE-2021-31473
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-787
Published: May 21, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-31473, you might also want to check these:

CVE-2019-5684 10.0

This vulnerability in NVIDIA Windows GPU Display Drivers allows specially crafted DirectX shaders to...

Same vulnerability type (CWE-787)
CVE-2022-43604 10.0

CVE-2022-43604 is a critical out-of-bounds write vulnerability in the OpENer EtherNet/IP stack that ...

Same vulnerability type (CWE-787)
CVE-2019-5049 10.0

This vulnerability allows an attacker to execute arbitrary code on systems with vulnerable AMD graph...

Same vulnerability type (CWE-787)