CVE-2025-53626

pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

CVSS 6.1 MEDIUMEPSS 0.3%CWE-1321 CWE-79 CWE-94

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.1EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

10 jul 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Productos afectados

pdfme · pdfme

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/pdfme/pdfme/commit/0dd54739acff2c249ed68c001a896bee38f0fd85 https://github.com/pdfme/pdfme/security/advisories/GHSA-54xv-94qv-2gfg