CVE-2025-11362 Overview
CVE-2025-11362 is a Denial of Service (DoS) vulnerability affecting the pdfmake JavaScript library, a popular client/server-side PDF printing solution for JavaScript applications. The vulnerability exists in versions prior to 0.3.0-beta.17 and stems from improper resource allocation when handling URL redirects during file embedding operations.
An attacker can exploit this vulnerability by providing crafted input containing repeatedly redirecting URLs, causing the application to exhaust resources and either crash or become unresponsive. This weakness falls under CWE-770: Allocation of Resources Without Limits or Throttling.
Critical Impact
Applications using vulnerable versions of pdfmake can be rendered completely unavailable through a resource exhaustion attack, potentially affecting business-critical document generation services.
Affected Products
- pdfmake versions 0.3.0-beta1 through 0.3.0-beta16
- All pdfmake versions prior to 0.3.0-beta.17
Discovery Timeline
- October 7, 2025 - CVE-2025-11362 published to NVD
- October 20, 2025 - Last updated in NVD database
Technical Details for CVE-2025-11362
Vulnerability Analysis
The vulnerability resides in pdfmake's URL resolution functionality, specifically within the URLResolver.js component. When pdfmake processes documents containing embedded files referenced via URLs, it follows HTTP redirects to fetch the content. However, prior to the security patch, there was no limit on the number of redirects the library would follow.
This architectural oversight allows an attacker to construct a malicious redirect chain—either a very long sequence of redirects or a circular redirect loop—that causes the application to continuously follow redirects until system resources are exhausted. The attack can be triggered remotely via network-accessible PDF generation endpoints without requiring authentication.
The impact is primarily on availability, as the vulnerable code path does not allow for data confidentiality or integrity compromise. However, for applications providing PDF generation as a service, this vulnerability can lead to complete service disruption.
Root Cause
The root cause is the absence of redirect count validation in the fetchUrl function within src/URLResolver.js. The original implementation blindly followed HTTP redirects without any safeguards, enabling infinite redirect loops or excessively long redirect chains to consume all available resources.
Attack Vector
The attack vector is network-based and requires no special privileges or user interaction. An attacker can exploit this vulnerability by:
- Creating a URL endpoint that returns an HTTP redirect response
- Configuring the redirect to point back to itself (circular) or to another redirecting URL (chain)
- Submitting a PDF generation request that embeds a file from the malicious URL
- The pdfmake library follows the redirects indefinitely, consuming memory and CPU resources
import http from 'http';
import https from 'https';
-const fetchUrl = (url, headers = {}) => {
+const MAX_REDIRECTS = 30;
+
+const fetchUrl = (url, headers = {}, redirectCount = 0) => {
+ if (redirectCount >= MAX_REDIRECTS) {
+ return new Promise((_, reject) => {
+ reject(new Error(`Too many redirects (limit: ${MAX_REDIRECTS})`));
+ });
+ }
return new Promise((resolve, reject) => {
const parsedUrl = new URL(url);
const h = (parsedUrl.protocol === 'https:') ? https : http;
Source: GitHub Commit
Detection Methods for CVE-2025-11362
Indicators of Compromise
- Abnormally high CPU or memory utilization on servers running pdfmake-based applications
- Repeated HTTP/HTTPS requests to the same URL or chain of URLs from the PDF generation service
- Application logs showing excessive redirect warnings or URL resolution timeouts
- Service unresponsiveness or crashes coinciding with PDF generation requests
Detection Strategies
- Monitor application performance metrics for sudden spikes in resource consumption during PDF generation operations
- Implement network traffic analysis to detect unusual redirect patterns from backend services
- Review dependency manifests (e.g., package.json, package-lock.json) to identify vulnerable pdfmake versions
- Use software composition analysis (SCA) tools to automatically flag vulnerable npm packages
Monitoring Recommendations
- Configure alerting on memory and CPU thresholds for services utilizing pdfmake
- Enable detailed logging for URL fetching operations within PDF generation workflows
- Implement request timeout monitoring to catch hanging operations early
- Track HTTP redirect counts in application-level telemetry
How to Mitigate CVE-2025-11362
Immediate Actions Required
- Upgrade pdfmake to version 0.3.0-beta.17 or later immediately
- Audit all Node.js projects for pdfmake dependencies using npm audit or yarn audit
- Implement input validation to restrict or sanitize URLs used in PDF file embedding
- Consider rate limiting PDF generation endpoints to reduce potential attack impact
Patch Information
The vulnerability has been addressed in pdfmake version 0.3.0-beta.17. The fix introduces a MAX_REDIRECTS constant set to 30, and the fetchUrl function now tracks redirect counts and rejects requests that exceed this limit.
To update, run:
npm update pdfmake
# or for a specific version
npm install pdfmake@0.3.0-beta.17
For additional details, refer to the GitHub Commit and Snyk Vulnerability Analysis.
Workarounds
- Implement a reverse proxy or WAF rule to limit redirects on outbound requests from PDF generation services
- Use URL allowlisting to restrict file embedding to trusted domains only
- Disable or restrict external URL embedding functionality if not required for business operations
- Deploy application-level timeouts for URL resolution operations to prevent indefinite hangs
# Example: Check and update pdfmake version
npm list pdfmake
npm update pdfmake --save
# Verify the installed version is patched
npm list pdfmake | grep "0.3.0-beta.17"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
