CVE-2024-25180

CRITICAL

pdfmake 0.2.9 - Remote Code Execution via /pdf Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-25180. PoCs published by dustblessnotdust.

AI-analyzed exploit summary This PoC exploits CVE-2024-25180, a remote code execution vulnerability in pdfmake, by sending a crafted JSON payload to the /pdf endpoint. The payload leverages Node.js's child_process module to execute a reverse shell command via netcat.

Description

An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.

Exploits (1)

nomisec WORKING POC
by dustblessnotdust · poc
https://github.com/dustblessnotdust/CVE-2024-25180

This PoC exploits CVE-2024-25180, a remote code execution vulnerability in pdfmake, by sending a crafted JSON payload to the /pdf endpoint. The payload leverages Node.js's child_process module to execute a reverse shell command via netcat.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: pdfmake (version not specified)
No auth needed
Prerequisites: Target server running vulnerable pdfmake instance · Network connectivity to target · Listener set up on attacker's machine
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 9.8
EPSS 0.0102
EPSS Percentile 59.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-94
Status published
Products (1)
pdfmake_project/pdfmake 0.2.9
Published Feb 29, 2024
Tracked Since Feb 18, 2026