CVE-2022-25765

Name of the Vulnerable Software and Affected Versions pdfkit versions 0.0.0 through 0.8.7.2

Description The issue is related to insufficient argument checking in the pdfkit library, which can be exploited by a remote attacker to execute arbitrary commands. This is a Command Injection vulnerability where the URL is not properly sanitized.

Recommendations For pdfkit versions 0.0.0 through 0.8.7.2, update to a version later than 0.8.7.2, as the initial patch in 0.8.7.2 was found to be ineffective. As a temporary workaround, consider disabling the use of URLs in the pdfkit library until a patch is available. Restrict access to the vulnerable module to minimize the risk of exploitation. Avoid using the URL parameter in the affected API endpoint until the issue is resolved.