Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55314

CVE-2025-55314: Foxit PDF Editor RCE Vulnerability

CVE-2025-55314 is a remote code execution flaw in Foxit PDF Editor caused by improper memory handling during JavaScript page deletion. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2025-55314 Overview

CVE-2025-55314 is a memory corruption vulnerability affecting Foxit PDF Reader and Foxit PDF Editor on Windows and macOS. The flaw exists in versions before 13.2 and 2025 versions before 2025.2. When pages in a PDF are deleted via JavaScript, the application fails to properly update internal states. Subsequent annotation management operations dereference invalid or released memory, leading to potential arbitrary code execution. The vulnerability is classified under [CWE-476] Null Pointer Dereference and requires user interaction to exploit.

Critical Impact

An attacker can craft a malicious PDF that triggers memory corruption when opened, potentially leading to arbitrary code execution in the context of the user running the application.

Affected Products

  • Foxit PDF Editor for Windows and macOS (versions before 13.2 and 2025 before 2025.2)
  • Foxit PDF Reader for Windows and macOS (versions before 13.2 and 2025 before 2025.2)
  • Microsoft Windows (host operating system)

Discovery Timeline

  • 2025-12-11 - CVE-2025-55314 published to NVD
  • 2025-12-18 - Last updated in NVD database

Technical Details for CVE-2025-55314

Vulnerability Analysis

The vulnerability resides in the page management and annotation handling subsystems of Foxit PDF Reader and Editor. When a PDF document programmatically deletes pages through embedded JavaScript, the application does not synchronize internal object references with the modified document structure. Annotation management routines later operate under the assumption that those object states remain valid. This mismatch produces a dereference of invalid or released memory, classified as [CWE-476]. The result is memory corruption that can crash the application or be steered toward arbitrary code execution.

Root Cause

The root cause is improper state management following JavaScript-driven page deletion. The application's internal tracking structures retain stale pointers to objects that have been freed or invalidated. When annotation operations subsequently process these references, the underlying memory is no longer guaranteed to be valid. This creates a window for an attacker to influence memory layout and corrupt program state.

Attack Vector

Exploitation requires a victim to open a crafted PDF file in a vulnerable version of Foxit PDF Reader or Editor. The malicious document embeds JavaScript that deletes pages and then triggers annotation operations against the resulting inconsistent state. Because the attack vector is local and requires user interaction, common delivery methods include phishing emails with PDF attachments, malicious downloads, and watering-hole sites distributing weaponized documents.

No public proof-of-concept code has been released for this issue. Technical details are documented in the Foxit Security Bulletins.

Detection Methods for CVE-2025-55314

Indicators of Compromise

  • Unexpected crashes of FoxitPDFReader.exe or FoxitPDFEditor.exe shortly after opening a PDF document
  • PDF files containing JavaScript that invokes page deletion APIs followed by annotation manipulation
  • Child processes spawned by Foxit applications that perform shell, scripting, or network activity
  • Anomalous memory access violations logged in Windows Application Event Log referencing Foxit binaries

Detection Strategies

  • Inspect inbound PDF attachments for embedded JavaScript using deletePages or annotation manipulation calls in close succession
  • Monitor endpoint telemetry for Foxit processes that crash or exhibit heap corruption signatures
  • Correlate document open events with subsequent process creation events that deviate from normal PDF viewing behavior

Monitoring Recommendations

  • Enable command-line and process lineage logging on endpoints running Foxit products
  • Forward PDF reader crash dumps and Windows Error Reporting telemetry to a centralized SIEM for analysis
  • Track outbound network connections originating from Foxit PDF Reader or Editor processes, which should generally be limited

How to Mitigate CVE-2025-55314

Immediate Actions Required

  • Upgrade Foxit PDF Editor and Reader to version 13.2 or later, or to 2025.2 or later, on all Windows and macOS endpoints
  • Inventory all systems running Foxit PDF products and prioritize patching for users who routinely process external PDFs
  • Block or quarantine PDF attachments at the email gateway pending patch deployment

Patch Information

Foxit has released fixed versions addressing this vulnerability. Users should update to Foxit PDF Editor and Reader 13.2 or later, or the 2025.2 release branch. Patch availability and download links are published in the Foxit Security Bulletins.

Workarounds

  • Disable JavaScript execution in Foxit PDF Reader and Editor through Preferences > JavaScript until patches are applied
  • Restrict opening of PDF files from untrusted sources and enforce safe-reading mode where available
  • Apply application allowlisting to prevent Foxit processes from spawning unexpected child processes such as cmd.exe or powershell.exe

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne