Primary

Context

pdfmake Remote Code Execution Vulnerability

Vulnerability

A remote code execution vulnerability has been identified in pdfmake versions through 0.2.5. The issue arises from an unsafe evaluation of user-controlled input, allowing arbitrary code execution in the context of the process running pdfmake. This vulnerability is present in the 'dev-playground' feature, specifically within the '/pdf' endpoint of the server.js file.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where pdfmake is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/pdf' endpoint with a payload that includes JavaScript code. The server will execute the code using 'eval()' without any sanitization or sandboxing. For example, a payload could be crafted to execute a command that reads sensitive files, such as '/etc/passwd', and returns the contents in the generated PDF.

Added: Apr 7, 2026, 10:40 AM

Updated: Apr 7, 2026, 10:40 AM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

7.5

exploitability

6.0

remediation

7.9

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

7.5

exploitability

6.0

remediation

7.9

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

pdfmake Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

bpampuch pdfmake

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating