João Victor

**Name of the Vulnerable Software and Affected Versions** pdfmake version 0.2.9 **Description** An issue in pdfmake allows remote attackers to run arbitrary code via a crafted POST request to the `/pdf` endpoint. Note that the behavior of the `/pdf` endpoint is intentional and only available after installing a test framework outside of the pdfmake application. The responsibility lies with the installer to ensure the endpoint is only accessible to authorized testers. **Recommendations** For pdfmake version 0.2.9, as a temporary workaround, consider restricting access to the `/pdf` endpoint to minimize the risk of exploitation. Ensure that the test framework is only installed in environments where the `/pdf` endpoint's intentional behavior is understood and managed, limiting its availability to authorized testers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.