Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55151

CVE-2025-55151: Stirling PDF SSRF Vulnerability

CVE-2025-55151 is an SSRF vulnerability in Stirling PDF that affects the file-to-PDF conversion functionality using LibreOffice's unoconvert tool. This article covers technical details, affected versions, and mitigation.

Updated:

CVE-2025-55151 Overview

CVE-2025-55151 is a Server-Side Request Forgery (SSRF) vulnerability in Stirling-PDF, a locally hosted web application that performs operations on PDF files. The flaw resides in the /api/v1/convert/file/pdf endpoint, which uses LibreOffice's unoconvert tool to convert uploaded files to PDF. An attacker can craft malicious input that triggers outbound requests from the server during conversion. The vulnerability affects all versions prior to 1.1.0 and is tracked under CWE-918. Maintainers patched the issue in version 1.1.0.

Critical Impact

Unauthenticated attackers can abuse the file conversion endpoint to send arbitrary requests from the Stirling-PDF server, enabling internal network reconnaissance, access to cloud metadata services, and interaction with internal-only services.

Affected Products

  • Stirling-PDF versions prior to 1.1.0
  • Deployments exposing the /api/v1/convert/file/pdf endpoint
  • Self-hosted instances bundled with LibreOffice unoconvert

Discovery Timeline

  • 2025-08-11 - CVE-2025-55151 published to NVD
  • 2025-08-15 - Last updated in NVD database

Technical Details for CVE-2025-55151

Vulnerability Analysis

Stirling-PDF exposes a REST endpoint at /api/v1/convert/file/pdf that accepts arbitrary documents and forwards them to LibreOffice's unoconvert utility for conversion to PDF. Document formats processed by LibreOffice support external resource references, including remote images, stylesheets, and embedded objects fetched over HTTP and other protocols. The conversion service follows these references during rendering without restricting destination hosts or URL schemes. An attacker uploads a crafted document containing references to internal endpoints, and the Stirling-PDF server resolves and fetches those URLs on the attacker's behalf.

Root Cause

The root cause is missing validation of external references embedded in user-supplied conversion inputs [CWE-918]. The conversion pipeline trusts LibreOffice to resolve remote resources without applying an outbound URL allowlist, scheme filter, or network egress restriction. Because the request originates from the Stirling-PDF host, it bypasses perimeter controls that would normally block direct access from untrusted clients.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker submits a document containing references to URLs such as http://169.254.169.254/latest/meta-data/ to reach cloud instance metadata, http://localhost:<port> to probe internal services, or other scheme handlers supported by LibreOffice. The server processes the document, fetches the referenced content, and may return parts of the response within the generated PDF or via error messages. This grants the attacker indirect read access to internal-only resources.

No public proof-of-concept code is referenced in the advisory. Technical details are available in the GitHub Security Advisory GHSA-76hv-h7g2-xfv3.

Detection Methods for CVE-2025-55151

Indicators of Compromise

  • Outbound HTTP requests from the Stirling-PDF host to internal IP ranges, localhost, or cloud metadata endpoints such as 169.254.169.254
  • Unusual file uploads to /api/v1/convert/file/pdf containing embedded external URL references
  • LibreOffice unoconvert processes initiating network connections during conversion jobs

Detection Strategies

  • Inspect application logs for POST requests to /api/v1/convert/file/pdf followed by egress connections from the same host
  • Monitor uploaded documents for embedded references to non-public hostnames, link targets, and external object includes
  • Correlate conversion job timestamps with firewall and proxy logs to identify SSRF callbacks

Monitoring Recommendations

  • Alert on any connection from the Stirling-PDF server to RFC1918 ranges, link-local addresses, or cloud metadata IPs
  • Capture and retain full request bodies submitted to conversion endpoints for forensic review
  • Track the running version of Stirling-PDF across deployments and flag any host below 1.1.0

How to Mitigate CVE-2025-55151

Immediate Actions Required

  • Upgrade Stirling-PDF to version 1.1.0 or later, which contains the official patch
  • Restrict outbound network access from the Stirling-PDF host to only required destinations
  • Place the conversion service behind authenticated access controls and remove anonymous internet exposure

Patch Information

The fix is committed in Stirling-Tools/Stirling-PDF commit 7d6b7087 and released in version 1.1.0. Administrators should review the GitHub Security Advisory GHSA-76hv-h7g2-xfv3 for full remediation guidance.

Workarounds

  • Run the Stirling-PDF container in a network namespace that blocks access to internal subnets and metadata endpoints
  • Disable the /api/v1/convert/file/pdf endpoint at the reverse proxy if conversion is not required
  • Apply an egress firewall rule limiting LibreOffice processes to denylisted destinations such as 169.254.0.0/16 and loopback addresses
bash
# Example egress restriction using iptables on the Stirling-PDF host
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne