CVE-2021-21797
HIGHNitro Pro PDF - Double Free via JavaScript Timeout Object Handling
Title source: llmDescription
An exploitable double-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause a reference to a timeout object to be stored in two different places. When closed, the document will result in the reference being released twice. This can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.
References (1)
Core 1
Core References
Exploit, Mitigation, Third Party Advisory x_refsource_misc
https://talosintelligence.com/vulnerability_reports/TALOS-2021-1266
Scores
CVSS v3
7.8
EPSS
0.1505
EPSS Percentile
96.3%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-415
Status
published
Products (2)
gonitro/nitro_pro
13.31.0.605
gonitro/nitro_pro
13.33.2.645
Published
Oct 18, 2021
Tracked Since
Feb 18, 2026