CVE-2025-53626

Name of the Vulnerable Software and Affected Versions: pdfme versions 5.2.0 through 5.4.0

Description: The expression evaluation feature in pdfme contains critical vulnerabilities allowing sandbox escape, leading to Cross-Site Scripting (XSS) and prototype pollution attacks. Attackers can bypass the sandbox restrictions to execute arbitrary JavaScript code using methods like Object.getOwnPropertyDescriptor and Object.getPrototypeOf. The expression evaluator also allows access to prototype accessor methods (lookupGetter, lookupSetter, defineGetter, defineSetter) which can be exploited with Object.assign to pollute the prototype chain. These vulnerabilities can allow attackers to execute arbitrary JavaScript code, steal sensitive information, modify application behavior, and potentially perform actions on behalf of users.

Recommendations: pdfme versions prior to 5.4.1 are affected. Update to pdfme version 5.4.1 to resolve this issue.