Home

Description

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.

PUBLISHED Reserved 2025-07-07 | Published 2025-07-10 | Updated 2025-07-10 | Assigner GitHub_M




MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

>= 5.2.0, < 5.4.1
affected

References

github.com/.../pdfme/security/advisories/GHSA-54xv-94qv-2gfg exploit

github.com/.../pdfme/security/advisories/GHSA-54xv-94qv-2gfg

github.com/...ommit/0dd54739acff2c249ed68c001a896bee38f0fd85

cve.org (CVE-2025-53626)

nvd.nist.gov (CVE-2025-53626)

Download JSON