Primary

Context

pdfmake Server-Side Request Forgery Vulnerability

Vulnerability

Patched

A Server-Side Request Forgery (SSRF) vulnerability has been identified in pdfmake versions 0.3.0-beta.2 through 0.3.5. This vulnerability allows remote attackers to access sensitive information by exploiting the src/URLResolver.js component. The issue arises because the URLResolver does not properly enforce access policies for external URLs, potentially leading to unauthorized data retrieval.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive information on the server where pdfmake is used.

Remediation

Users can upgrade to pdfmake version 0.3.6 or later, which includes the `setUrlAccessPolicy()` method for defining custom access rules for external URLs. After updating, server operators should configure an appropriate URL access policy to mitigate the vulnerability.

Added: Mar 10, 2026, 7:44 PM

Updated: Mar 10, 2026, 7:44 PM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.4

remediation

8.3

relevance

3.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

0.6

exploitability

4.4

remediation

8.3

relevance

3.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

pdfmake Server-Side Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

bpampuch pdfmake

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating