CVE-2025-59803
📋 TL;DR
Foxit PDF Editor and Reader versions before 2025.2.1 contain a signature spoofing vulnerability where attackers can embed triggers (like JavaScript) in PDF documents. These triggers execute during the signing process, modifying content on other pages or layers after the signature is applied, causing the signed document to differ from what the signer reviewed. This undermines digital signature trustworthiness and affects all users of vulnerable Foxit software.
💻 Affected Systems
- Foxit PDF Editor
- Foxit PDF Reader
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate signed contracts, legal documents, or financial agreements after signing, leading to fraudulent transactions, legal disputes, or unauthorized changes to critical documents.
Likely Case
Malicious actors create PDFs with hidden triggers that modify document content post-signature, potentially altering terms, amounts, or other critical information in business or legal documents.
If Mitigated
With proper patching and security controls, the risk is limited to unpatched systems, but signed documents from vulnerable versions remain potentially compromised.
🎯 Exploit Status
Exploitation requires crafting a malicious PDF with embedded triggers and convincing a user to open and sign it. No authentication is needed beyond user interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.2.1, 14.0.1, or 13.2.1
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download the latest version from Foxit's official website. 2. Run the installer. 3. Follow on-screen prompts to complete installation. 4. Restart the system if required.
🔧 Temporary Workarounds
Disable JavaScript in Foxit
allPrevents trigger execution by disabling JavaScript in Foxit PDF software.
Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use alternative PDF software
allTemporarily use non-vulnerable PDF viewers for signing documents.
🧯 If You Can't Patch
- Restrict PDF signing to trusted sources only and verify document integrity post-signature.
- Implement document signing workflows that include hash verification before and after signing.
🔍 How to Verify
Check if Vulnerable:
Check Foxit version via Help > About. If version is below 2025.2.1, 14.0.1, or 13.2.1, it is vulnerable.Check Version:
On Windows: Open Foxit > Help > About. On macOS: Foxit Reader > About Foxit Reader.Verify Fix Applied:
After updating, confirm version is 2025.2.1, 14.0.1, or 13.2.1 or higher in Help > About.📡 Detection & Monitoring
Log Indicators:
- Unusual PDF file access patterns, multiple failed signature validations, or alerts from endpoint protection software.
Network Indicators:
- Downloads of PDF files from untrusted sources, especially if followed by signature-related activities.
SIEM Query:
source="foxit_logs" AND (event="signature_failure" OR event="javascript_execution")