Apache FOP: escaping bypass → PostScript injection → server file read

Apache FOP (Formatting Objects Processor) is a Java library used to generate documents (PDF, PostScript) from XML templates.

In this case, FOP does not generate the PDF directly. Instead, it first produces PostScript, which is then converted to PDF by GhostScript. The vulnerability appears during this intermediate stage.

FOP escapes the ) character as ). A separate routine splits lines longer than 200 characters by inserting \ followed by a newline. However, this logic does not account for the fact that ) is a single escape sequence.

If the backslash from ) lands exactly at a line break boundary, the line-splitting logic inserts another \ and newline, producing: \n).

Here the first backslash escapes the second one, leaving ) unescaped. This prematurely closes the PostScript string, allowing the attacker to inject arbitrary PostScript code.

The injected code is then executed by GhostScript during PDF generation, enabling server-side file reads. The article also describes exploitation constraints, bypass techniques, and how chaining this issue with CVE-2025-46646 (GhostScript) can lead to full remote code execution.

📎 Article: https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html 🔨 PoC: https://github.com/AlmondOffSec/misc/tree/master/apache-fop-poc

💬 Discuss