Foxit Products Uncontrolled Recursion Vulnerability Leading to Stack Exhaustion

A vulnerability allowing uncontrolled recursion has been identified in Foxit PDF Reader and Foxit PDF Editor. This issue arises when the application processes PDF files containing cyclic references between objects, particularly through JavaScript. The lack of detection for these cyclic references can lead to stack overflow, causing application crashes. The vulnerability is present in Foxit PDF Reader versions prior to 2026.1 and Foxit PDF Editor versions 2025.3.0.35737 and earlier, as well as several previous 2024.x, 2023.x, and 14.x versions.

Impact

Exploitation of this vulnerability causes a stack overflow, leading to application crashes.

Reproduction

To reproduce this vulnerability, create a PDF document with pages and annotations that reference each other in a loop. Then, open this document in Foxit PDF Reader or Foxit PDF Editor and pass it to an API that performs deep traversal, such as a SOAP API. The application will crash due to uncontrolled recursion.

Remediation

Users can update to Foxit PDF Reader 2026.1 or Foxit PDF Editor 2026.1. Instructions for updating or downloading the latest versions are available on the Foxit website.