CVE-2024-25180

CRITICAL

pdfmake 0.2.9 - RCE

Title source: llm

Description

An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.

Exploits (1)

nomisec WORKING POC

by dustblessnotdust · poc

https://github.com/dustblessnotdust/CVE-2024-25180

View Code ZIP pw:eip

References (4)

[Issue Tracking] https://github.com/bpampuch/pdfmake/issues/2702

[Broken Link] https://github.com/joaoviictorti/My-CVES/blob/main/CVE-2024-25180/README.md

[Exploit, Third Party Advisory] https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243

[Exploit] https://www.youtube.com/watch?v=QcOlrWUGo6o

Scores

CVSS v3 9.8

EPSS 0.0043

EPSS Percentile 62.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (1)

pdfmake_project/pdfmake 0.2.9

Published Feb 29, 2024

Tracked Since Feb 18, 2026