Miggo Logo
Miggo Vulnerability Database
CVE-2025-11362

CVE-2025-11362: pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-11362
GHSA ID
GHSA-rj3r-r7hh-jxfq
EPSS Score
0.1167%
CWE
CWE-770
Published
10/7/2025
Updated
10/7/2025
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
pdfmakenpm< 0.3.0-beta.170.3.0-beta.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a resource exhaustion issue within the pdfmake library, specifically in how it handles HTTP redirects when embedding remote files. By analyzing the provided security patch, I was able to pinpoint the exact location of the vulnerability.

The commit 741169634bf07730e010cd77477b6cc038e846ed directly addresses the problem. The changes are concentrated in the src/URLResolver.js file, specifically within the fetchUrl function. Before the patch, this function would recursively follow any URL specified in the Location header of a 3xx redirect response. It did not track how many redirects had occurred.

This created a classic scenario for a Denial of Service attack. A malicious actor could set up a web server that responds with an infinite chain of redirects. When pdfmake attempts to embed a file from this malicious URL, the fetchUrl function would be called repeatedly, consuming system resources with each call until the application crashes.

The fix is straightforward: it introduces a counter (redirectCount) and a maximum limit (MAX_REDIRECTS). The fetchUrl function now tracks the number of redirects and will abort the process if the limit is exceeded, thus preventing the infinite recursion and the resulting resource exhaustion. Therefore, the fetchUrl function is the vulnerable function that would appear in a runtime profile during exploitation.

Vulnerable functions

fetchUrl
src/URLResolver.js
The vulnerability lies in the `fetchUrl` function, which handles URL fetching for file embedding. The original implementation recursively called itself upon encountering an HTTP redirect (status codes 300-399) without any limit on the number of redirects. An attacker could provide a URL that continuously redirects, causing the application to enter an infinite loop of requests. This leads to excessive resource allocation (CPU, memory, network sockets), eventually causing the application to crash or become unresponsive, resulting in a Denial of Service (DoS). The patch mitigates this by introducing a `MAX_REDIRECTS` limit and tracking the redirect count in each recursive call.

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** p**m*k* ***or* *.*.*-**t*.** *r* vuln*r**l* to *llo**tion o* R*sour**s Wit*out Limits or T*rottlin* vi* r*p**t**ly r**ir**t URL in *il* *m****in*. *n *tt**k*r **n **us* t** *ppli**tion to *r*s* or ***om* unr*sponsiv* *y provi*

Reasoning

T** vuln*r**ility is * r*sour** *x**ustion issu* wit*in t** `p**m*k*` li*r*ry, sp**i*i**lly in *ow it **n*l*s *TTP r**ir**ts w**n *m****in* r*mot* *il*s. *y *n*lyzin* t** provi*** s**urity p*t**, I w*s **l* to pinpoint t** *x**t lo**tion o* t** vuln*