Login Sign Up

CVE-2023-41257

8.8 HIGH
Remote Code Execution

📋 TL;DR

A type confusion vulnerability in Foxit Reader 12.1.2.15356 allows arbitrary code execution when processing malicious PDF files containing JavaScript. Attackers can exploit this by tricking users into opening malicious PDFs or visiting malicious websites with the browser plugin enabled. This affects all users running the vulnerable version of Foxit Reader.

💻 Affected Systems

Products:
  • Foxit Reader
Versions: 12.1.2.15356
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Browser plugin extension must be enabled for web-based exploitation. All platforms running the vulnerable version are affected.

📦 What is this software?

Foxit Reader by Foxitsoftware

View all CVEs affecting Foxit Reader →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, enabling data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Malware installation leading to data exfiltration, credential theft, or system disruption.

🟢

If Mitigated

Limited impact with proper security controls, potentially just application crash or denial of service.

🌐 Internet-Facing: HIGH - Exploitable via malicious websites when browser plugin is enabled, making internet-facing systems vulnerable.
🏢 Internal Only: HIGH - Internal users opening malicious PDFs (via email, file shares) can lead to widespread compromise.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires user interaction (opening PDF or visiting malicious site). No public exploit code available at time of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 12.1.3 or later

Vendor Advisory: https://www.foxit.com/support/security-bulletins.html

Restart Required: Yes

Instructions:

1. Download latest Foxit Reader from official website. 2. Run installer. 3. Restart system. 4. Verify version is 12.1.3 or higher.

🔧 Temporary Workarounds

Disable JavaScript in Foxit Reader

all

Prevents JavaScript execution in PDFs, blocking the exploitation vector.

Open Foxit Reader > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'

Disable Browser Plugin

all

Prevents web-based exploitation via malicious websites.

Browser settings > Extensions/Add-ons > Disable Foxit Reader plugin

🧯 If You Can't Patch

  • Use alternative PDF readers that are not vulnerable
  • Implement application whitelisting to block Foxit Reader execution

🔍 How to Verify

Check if Vulnerable:

Check Foxit Reader version in Help > About. If version is 12.1.2.15356, system is vulnerable.

Check Version:

On Windows: wmic product where name='Foxit Reader' get version

Verify Fix Applied:

Verify version is 12.1.3 or higher in Help > About.

📡 Detection & Monitoring

Log Indicators:

  • Foxit Reader crash logs
  • Unexpected JavaScript execution in PDF files
  • Process creation from Foxit Reader

Network Indicators:

  • Downloads of PDF files from suspicious sources
  • Outbound connections from Foxit Reader process

SIEM Query:

process_name='FoxitReader.exe' AND (event_id=1000 OR parent_process contains 'browser')

📊 Metadata

CVE ID: CVE-2023-41257
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-843
Published: November 27, 2023
Last Updated: November 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41257, you might also want to check these:

CVE-2025-47151 9.8

A type confusion vulnerability in Entr'ouvert Lasso's SAML parsing allows remote code execution when...

Same vulnerability type (CWE-843)
CVE-2025-65570 9.8

A type confusion vulnerability in jsish 2.0 allows incorrect control flow during execution of the OP...

Same vulnerability type (CWE-843)
CVE-2020-25575 9.8

This vulnerability in the Rust failure crate (versions through 0.1.5) involves a type confusion flaw...

Same vulnerability type (CWE-843)