CVE-2024-25938: Foxit PDF Editor Use-After-Free Flaw

CVE-2024-25938 Overview

CVE-2024-25938 is a use-after-free vulnerability [CWE-416] in Foxit Reader 2024.1.0.23997. The flaw exists in the handling of Barcode widgets when processing JavaScript within PDF documents. A specially crafted JavaScript payload embedded in a malicious PDF can trigger reuse of a previously freed object. This memory corruption can lead to arbitrary code execution in the context of the user running the application. Exploitation requires the user to open a malicious PDF file or visit a malicious site when the Foxit browser plugin extension is enabled.

Critical Impact

Successful exploitation allows arbitrary code execution on Windows and macOS systems running affected Foxit PDF Reader and PDF Editor versions, with the EPSS score placing this vulnerability in the top 4% most likely to be exploited.

Affected Products

• Foxit PDF Reader 2024.1.0.23997
• Foxit PDF Editor 2024.1.0.23997
• Microsoft Windows and Apple macOS installations of the above products

Discovery Timeline

• 2024-04-30 - CVE-2024-25938 published to NVD
• 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2024-25938

Vulnerability Analysis

The vulnerability resides in the Barcode widget handling logic of Foxit Reader and Editor. When a PDF document contains a Barcode form field, the application allocates memory objects to manage the widget state. JavaScript embedded in the PDF can manipulate these objects in ways that cause the application to free an object while still retaining references to it. Subsequent operations dereference the freed memory, producing a classic use-after-free condition tracked under [CWE-416].

Attackers can shape the freed memory region through controlled allocations from JavaScript. Once the dangling pointer is dereferenced, attacker-controlled data is treated as a valid object, including potentially crafted virtual function tables or function pointers. This primitive enables arbitrary code execution within the rendering process.

Root Cause

The defect stems from improper lifetime management of Barcode widget objects exposed to JavaScript. The application does not invalidate or null outstanding references when the underlying object is destroyed. Scripted events fired during document rendering create the freed-then-reused condition.

Attack Vector

Exploitation occurs through two primary delivery paths. The first requires the victim to open a weaponized PDF in Foxit PDF Reader or Editor. The second exploits the browser plugin extension when enabled, allowing drive-by exploitation when a user visits a malicious website that serves a crafted PDF. Both paths require user interaction but no authentication. Detailed technical analysis is available in the Talos Intelligence Vulnerability Report.

Detection Methods for CVE-2024-25938

Indicators of Compromise

• PDF files containing Barcode form widgets combined with JavaScript actions referencing widget objects after deletion
• Unexpected child processes spawned by FoxitPDFReader.exe or FoxitPDFEditor.exe, such as command interpreters or scripting hosts
• Crashes in Foxit processes with access violation exceptions referencing freed heap regions
• Outbound network connections originating from the Foxit process immediately after a PDF is opened

Detection Strategies

• Inspect inbound PDFs at email and web gateways for embedded JavaScript that manipulates Barcode (/BarcodeWidget) form fields
• Monitor endpoints for anomalous process lineage where Foxit applications launch shells, PowerShell, or rundll32.exe
• Correlate Foxit application crash telemetry with subsequent suspicious process or file activity on the same host

Monitoring Recommendations

• Enable command-line argument logging and process creation auditing on workstations running Foxit products
• Forward Foxit application crash dumps and Windows Error Reporting events to a centralized log platform for review
• Track installed Foxit versions across the fleet and alert on hosts still running 2024.1.0.23997 or earlier

How to Mitigate CVE-2024-25938

Immediate Actions Required

• Upgrade Foxit PDF Reader and Foxit PDF Editor to the latest vendor-supplied release that supersedes 2024.1.0.23997
• Disable the Foxit browser plugin extension in all supported browsers until patching is complete
• Restrict opening of PDFs from untrusted sources and apply email gateway policies that quarantine PDFs with embedded JavaScript

Patch Information

Foxit addressed this vulnerability in versions released after 2024.1.0.23997. Administrators should consult the Talos Intelligence Vulnerability Report and the Foxit security bulletin page for the specific fixed build numbers applicable to PDF Reader and PDF Editor on Windows and macOS.

Workarounds

• Disable JavaScript execution within Foxit PDF Reader and Editor via Preferences > JavaScript > Enable JavaScript Actions
• Remove or disable the Foxit browser plugin to block drive-by exploitation through web-delivered PDFs
• Enforce application allowlisting to prevent Foxit processes from spawning interpreters or unsigned binaries

# Configuration example: disable JavaScript in Foxit via Windows registry
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\JavaScript" /v bJSEnable /t REG_DWORD /d 0 /f
reg add "HKCU\Software\Foxit Software\Foxit PDF Editor\Preferences\JavaScript" /v bJSEnable /t REG_DWORD /d 0 /f