CVE-2025-11362
📋 TL;DR
This vulnerability in pdfmake allows attackers to cause denial of service by embedding malicious URLs that trigger repeated redirects, consuming excessive resources. It affects applications using pdfmake versions before 0.3.0-beta.17 for PDF generation. Developers who embed user-controlled URLs in PDFs are particularly vulnerable.
💻 Affected Systems
- pdfmake
📦 What is this software?
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
Pdfmake by Pdfmake
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash and denial of service, potentially affecting all users of the vulnerable system.
Likely Case
Application becomes unresponsive or crashes when processing PDFs with malicious redirect URLs, disrupting PDF generation functionality.
If Mitigated
Limited impact with proper input validation and resource limits, potentially causing only temporary performance degradation.
🎯 Exploit Status
Exploitation requires only the ability to provide URLs to the PDF generation function, which is often exposed to users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.3.0-beta.17 and later
Vendor Advisory: https://github.com/bpampuch/pdfmake/commit/741169634bf07730e010cd77477b6cc038e846ed
Restart Required: No
Instructions:
1. Update pdfmake package to version 0.3.0-beta.17 or higher. 2. Run 'npm update pdfmake' or 'yarn upgrade pdfmake'. 3. Test PDF generation functionality.
🔧 Temporary Workarounds
Input Validation for URLs
allImplement server-side validation to reject URLs with redirect chains or limit redirect depth.
Resource Limiting
allConfigure process timeouts and memory limits for PDF generation tasks.
🧯 If You Can't Patch
- Disable URL embedding functionality in pdfmake configuration
- Implement rate limiting and request validation for PDF generation endpoints
🔍 How to Verify
Check if Vulnerable:
Check package.json for pdfmake version. If version is below 0.3.0-beta.17 and application uses URL embedding, it's vulnerable.Check Version:
npm list pdfmake | grep pdfmakeVerify Fix Applied:
After updating, verify the version is 0.3.0-beta.17 or higher and test PDF generation with various URL inputs.📡 Detection & Monitoring
Log Indicators:
- Multiple redirect errors in PDF generation logs
- High memory or CPU usage during PDF processing
- Failed PDF generation requests with timeout errors
Network Indicators:
- Repeated HTTP redirect requests from PDF generation service
- Unusually large number of PDF generation requests from single source
SIEM Query:
source="application.log" AND "pdfmake" AND ("redirect" OR "timeout" OR "memory")