pdfmake Arbitrary Code Injection Vulnerability

A vulnerability allowing arbitrary code execution has been identified in pdfmake version 0.2.9. This issue arises from a crafted POST request to the '/pdf' endpoint, which is only accessible after installing a test framework outside of the pdfmake application. While the vulnerability has been disputed, it highlights a significant security concern, as the code can be executed without proper authorization.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the server where pdfmake is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/pdf' endpoint with a payload that includes JavaScript code. The payload can be crafted to execute commands on the server, such as using Node.js' 'child_process' module to run system commands. This can be done using a tool like 'curl' or a programming language like Python with the 'requests' library.