Code Injection The advisory has been revoked - it doesn't affect any version of package pdfmake Open this link in a new tab

Expand this section
9.8 critical

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JS-PDFMAKE-3160329
  • published 7 Dec 2022
  • disclosed 7 Dec 2022
  • credit Ryan Finn

How to fix?

Upgrade pdfmake to version 0.2.7 or higher.


This was deemed not a vulnerability.


pdfmake is a Client/server side PDF printing in pure JavaScript

Affected versions of this package are vulnerable to Code Injection because it contains an unsafe evaluation of user-controlled input in the /pdf endpoint.

Note: Users are affected by this vulnerability only if using the dev-playground component of the library. This component is not bundled in any of the versions available on package managers.


Users are advised to restrict access to trusted user input.


const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
    content: [