CVE-2024-25180

Name: CVE-2024-25180
Creator: NVD / NIST
Published: 2024-02-29T18:15:16.52+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 1.02%

Last modified Jun 17, 2026

CVE-2024-25180 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. EPSS estimates a 1.02% chance of exploitation in the next 30 days.

Description

An issue discovered in pdfmake 0.2.9 allows remote attackers to run arbitrary code via crafted POST request to the /pdf endpoint. NOTE: this is disputed because the behavior of the /pdf endpoint is intentional. The /pdf endpoint is only available after installing a test framework (that lives outside of the pdfmake applicaton). Anyone installing this is responsible for ensuring that it is only available to authorized testers.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

1.02%

59.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-94

Affected Software

Vendor	Product	Versions
Pdfmake Project	Pdfmake	0.2.9

References

https://github.com/bpampuch/pdfmake/issues/2702Issue Tracking
https://github.com/joaoviictorti/My-CVES/blob/main/CVE-2024-25180/README.mdBroken Link
https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243Exploit, Third Party Advisory
https://www.youtube.com/watch?v=QcOlrWUGo6oExploit
https://github.com/bpampuch/pdfmake/issues/2702Issue Tracking
https://github.com/joaoviictorti/My-CVES/blob/main/CVE-2024-25180/README.mdBroken Link
https://security.snyk.io/vuln/SNYK-JS-PDFMAKE-6347243Exploit, Third Party Advisory
https://www.youtube.com/watch?v=QcOlrWUGo6oExploit

Timeline

Published: Feb 29, 2024
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2024-25180?

How severe is CVE-2024-25180?

CVE-2024-25180 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 1.02% probability of exploitation in the next 30 days.

How do I fix CVE-2024-25180?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-25180?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST