Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55313

CVE-2025-55313: Foxit PDF Editor RCE Vulnerability

CVE-2025-55313 is a remote code execution vulnerability in Foxit PDF Editor caused by improper memory handling in JavaScript form fields. Attackers can exploit this to execute arbitrary code. Learn about affected versions and fixes.

Published:

CVE-2025-55313 Overview

CVE-2025-55313 affects Foxit PDF Reader and Foxit PDF Editor on Windows and macOS. The flaw allows arbitrary code execution when the application processes a crafted PDF file. The root cause is insufficient handling of memory allocation failures after JavaScript embedded in the PDF assigns an extremely large value to a form field's charLimit property. This triggers memory corruption that an attacker can leverage to run code in the context of the user. Exploitation requires user interaction, specifically opening the malicious document. Foxit addressed the issue in PDF Editor and Reader 13.2 and the 2025 line at version 2025.2.

Critical Impact

A crafted PDF can corrupt memory and execute arbitrary code in the context of the user opening the file.

Affected Products

  • Foxit PDF Editor for Windows and macOS before 13.2 and 2025 before 2025.2
  • Foxit PDF Reader for Windows and macOS before 13.2 and 2025 before 2025.2
  • Microsoft Windows and Apple macOS host platforms running affected Foxit versions

Discovery Timeline

  • 2025-12-11 - CVE-2025-55313 published to NVD
  • 2025-12-18 - Last updated in NVD database

Technical Details for CVE-2025-55313

Vulnerability Analysis

The vulnerability is classified under [CWE-94] Improper Control of Generation of Code. Foxit PDF Editor and Reader expose a JavaScript engine that lets PDF documents script form fields. One scriptable property, charLimit, controls the maximum number of characters a text field accepts. The application does not validate the value assigned to charLimit before using it to size internal buffers. When the script assigns an extremely large integer, the subsequent allocation can fail. The code path does not check the allocation result and continues to operate on the returned pointer. This produces memory corruption that an attacker can shape into a write primitive. The result is arbitrary code execution within the rendering process. Attackers typically deliver such PDFs through phishing email, drive-by download, or shared file repositories.

Root Cause

The defect is a missing failure check after a memory allocation request driven by attacker-controlled input. The charLimit property accepts unbounded numeric values from PDF JavaScript. When allocation fails, the code continues without recognizing the error state, leading to writes to invalid memory.

Attack Vector

Exploitation is local and requires the victim to open a malicious PDF in a vulnerable Foxit build. The attacker embeds JavaScript in the PDF that sets charLimit to an oversized value on a form field, triggering the corruption. No elevated privileges or network position are required.

No public proof-of-concept or weaponized exploit code is currently available for this issue. Refer to the Foxit Security Bulletins for vendor-provided technical context.

Detection Methods for CVE-2025-55313

Indicators of Compromise

  • PDF files containing embedded JavaScript that writes large integer values to the charLimit property of form fields
  • Unexpected crashes of FoxitPDFReader.exe or FoxitPDFEditor.exe shortly after a PDF is opened
  • Child processes such as cmd.exe, powershell.exe, or rundll32.exe spawned by Foxit PDF processes
  • Outbound network connections initiated by Foxit processes to untrusted destinations

Detection Strategies

  • Inspect inbound PDFs at the mail gateway for embedded JavaScript that manipulates form field charLimit properties with abnormally large numeric literals
  • Monitor endpoint telemetry for Foxit reader or editor processes spawning shell, scripting, or LOLBin processes
  • Alert on access violations and crash events generated by Foxit PDF processes correlated with recent document opens

Monitoring Recommendations

  • Track installed Foxit PDF Editor and Reader versions across the fleet and flag instances below 13.2 or below 2025.2
  • Forward Windows and macOS process, file, and network telemetry to a central data lake for retrospective hunting against this attack pattern
  • Subscribe to the Foxit Security Bulletins feed for follow-on advisories

How to Mitigate CVE-2025-55313

Immediate Actions Required

  • Upgrade Foxit PDF Editor and Foxit PDF Reader to version 13.2 or 2025.2 on all Windows and macOS endpoints
  • Block or quarantine inbound PDFs from untrusted senders at the email and web gateways until patching is complete
  • Instruct users not to open PDF attachments from unknown sources while the rollout is in progress

Patch Information

Foxit released fixed builds in Foxit PDF Editor and Reader 13.2 and 2025.2 for both Windows and macOS. Refer to the Foxit Security Bulletins for the exact download packages and release notes.

Workarounds

  • Disable JavaScript execution inside Foxit PDF Editor and Reader through the application's Preferences until the patch is applied
  • Use application allowlisting to prevent Foxit PDF processes from launching shell or scripting child processes
  • Open untrusted PDFs only inside an isolated sandbox or virtual machine
bash
# Example: disable JavaScript in Foxit Reader via Windows registry (apply per environment)
reg add "HKCU\Software\Foxit Software\Foxit PDF Reader\Preferences\JavaScript" /v bEnableJS /t REG_DWORD /d 0 /f

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne