CVE-2025-55311
📋 TL;DR
This vulnerability in Foxit PDF software allows attackers to create malicious PDFs that use JavaScript to modify annotation content and clear modification status, bypassing digital signature verification. This compromises document integrity by hiding changes to signed PDFs, misleading users about document trustworthiness. Affected users include anyone using vulnerable Foxit PDF Reader or Editor versions on Windows or macOS.
💻 Affected Systems
- Foxit PDF Reader
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could modify signed legal documents, contracts, or official forms without detection, leading to fraud, financial loss, or legal consequences when users trust manipulated documents.
Likely Case
Attackers create malicious PDFs that appear legitimate and signed, tricking users into accepting modified content while believing the document is unchanged and trustworthy.
If Mitigated
With proper patching and disabling of JavaScript in PDFs, the attack vector is eliminated, maintaining document integrity verification.
🎯 Exploit Status
Exploitation requires user interaction to open a malicious PDF file. The vulnerability leverages existing JavaScript functionality in PDFs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Foxit PDF Reader/Editor 13.2 or later; Foxit 2025.2 or later
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Open Foxit software. 2. Go to Help > Check for Updates. 3. Follow prompts to download and install latest version. 4. Restart computer after installation completes.
🔧 Temporary Workarounds
Disable JavaScript in Foxit PDF
windowsPrevents JavaScript execution in PDF files, blocking the exploitation method.
Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use alternative PDF viewer
allTemporarily use a different PDF reader that isn't affected by this vulnerability.
🧯 If You Can't Patch
- Disable JavaScript in Foxit PDF preferences as temporary mitigation
- Implement application whitelisting to block execution of older Foxit versions
- Educate users to verify digital signatures through alternative methods
- Use email/web gateways to block PDF files with JavaScript content
🔍 How to Verify
Check if Vulnerable:
Open Foxit software, go to Help > About, check version number against affected ranges.Check Version:
On Windows: Open Foxit > Help > About; On macOS: Foxit Reader/Editor menu > About Foxit Reader/EditorVerify Fix Applied:
Confirm version is 13.2 or higher for Foxit PDF Reader/Editor, or 2025.2 or higher for Foxit 2025 series.📡 Detection & Monitoring
Log Indicators:
- Multiple PDF file openings with JavaScript errors
- Unexpected JavaScript execution in PDF files
- Security event logs showing Foxit process anomalies
Network Indicators:
- Downloads of PDF files from untrusted sources
- PDF files with embedded JavaScript from unusual locations
SIEM Query:
source="*foxit*" AND (event="javascript_error" OR event="pdf_open") AND file_extension="pdf"