CVE-2024-25180

Name of the Vulnerable Software and Affected Versions pdfmake version 0.2.9

Description An issue in pdfmake allows remote attackers to run arbitrary code via a crafted POST request to the /pdf endpoint. Note that the behavior of the /pdf endpoint is intentional and only available after installing a test framework outside of the pdfmake application. The responsibility lies with the installer to ensure the endpoint is only accessible to authorized testers.

Recommendations For pdfmake version 0.2.9, as a temporary workaround, consider restricting access to the /pdf endpoint to minimize the risk of exploitation. Ensure that the test framework is only installed in environments where the /pdf endpoint's intentional behavior is understood and managed, limiting its availability to authorized testers. At the moment, there is no information about a newer version that contains a fix for this vulnerability.