The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-55853

CVE-2025-55853: SoftVision webPDF SSRF Vulnerability

CVE-2025-55853 is a server-side request forgery flaw in SoftVision webPDF that enables attackers to perform port scanning and local file inclusion. This article covers technical details, affected versions, and mitigation.

Published: February 20, 2026

CVE-2025-55853 Overview

CVE-2025-55853 is a Server-Side Request Forgery (SSRF) vulnerability affecting SoftVision webPDF before version 10.0.2. The PDF converter function fails to properly validate whether internal or external resources are being requested in uploaded files, allowing potentially dangerous protocols such as http:// and file:///. This flaw enables attackers to upload malicious XML or HTML files that, when processed and rendered to PDF, can facilitate internal port scanning and Local File Inclusion (LFI) attacks against the server.

Critical Impact

Attackers can leverage this SSRF vulnerability to perform internal network reconnaissance through port scanning and read sensitive local files via LFI, potentially exposing confidential configuration data, credentials, and internal service information.

Affected Products

  • SoftVision webPDF versions prior to 10.0.2
  • webPDF PDF converter service with XML/HTML processing capabilities
  • Systems exposing webPDF document conversion functionality

Discovery Timeline

  • 2026-02-19 - CVE-2025-55853 published to NVD
  • 2026-02-19 - Last updated in NVD database

Technical Details for CVE-2025-55853

Vulnerability Analysis

This Server-Side Request Forgery vulnerability exists in the PDF converter component of SoftVision webPDF. When the application processes uploaded XML or HTML files for conversion to PDF format, it fails to implement proper validation of external resource references embedded within those documents. The converter blindly follows URLs and file path references, including dangerous protocol handlers like http:// for network requests and file:/// for local file system access.

The lack of input validation on resource URIs creates a classic SSRF attack surface. An attacker can craft malicious documents containing specially constructed resource references that force the server to make requests to arbitrary destinations. When targeting internal network addresses, this enables reconnaissance of services running on internal hosts and ports that would otherwise be inaccessible from external networks.

Root Cause

The root cause of this vulnerability lies in insufficient input validation within the webPDF document converter's resource fetching mechanism. The application does not implement proper URL scheme whitelisting or destination address validation before fetching external resources during the PDF rendering process. This allows the processing of arbitrary protocol handlers and enables requests to internal network addresses and local file paths.

Attack Vector

The attack vector involves uploading a malicious XML or HTML document to the webPDF conversion service. The document contains crafted resource references (such as external stylesheets, images, or entity references) pointing to internal network addresses or local file paths. When webPDF processes the document for PDF conversion, it attempts to fetch these resources, effectively proxying attacker-controlled requests through the server.

For internal port scanning, an attacker can enumerate internal services by referencing various IP addresses and ports, observing response behavior differences to identify active services. For Local File Inclusion, using the file:/// protocol handler allows reading sensitive files such as /etc/passwd, configuration files, or application credentials that get embedded into the generated PDF output.

Technical details and proof-of-concept demonstrations are available in the GitHub PoC Repository. Additional information about the affected product can be found on the webPDF Service Overview page.

Detection Methods for CVE-2025-55853

Indicators of Compromise

  • Unusual PDF conversion requests containing file:/// protocol references in uploaded XML or HTML documents
  • Server-side network connections to internal IP ranges (e.g., 10.x.x.x, 172.16.x.x, 192.168.x.x) originating from the webPDF service
  • PDF output files containing unexpected file content or internal service responses
  • High volume of PDF conversion requests targeting various internal port combinations

Detection Strategies

  • Monitor webPDF service logs for uploaded documents containing suspicious protocol handlers (file://, gopher://, dict://)
  • Implement network intrusion detection rules to alert on internal network scanning patterns from web application servers
  • Analyze generated PDF documents for embedded content that should not be accessible to external users
  • Deploy web application firewall (WAF) rules to inspect uploaded XML/HTML content for SSRF payload patterns

Monitoring Recommendations

  • Enable detailed logging on the webPDF conversion service to capture all resource fetch attempts
  • Monitor network egress from webPDF servers for connections to internal network segments
  • Implement file integrity monitoring on sensitive configuration files that may be targeted via LFI
  • Set up alerts for unusual patterns in PDF file sizes that may indicate data exfiltration through embedded content

How to Mitigate CVE-2025-55853

Immediate Actions Required

  • Upgrade SoftVision webPDF to version 10.0.2 or later immediately
  • Restrict webPDF service network access to prevent connections to internal network ranges
  • Review and audit recent PDF conversion logs for potential exploitation attempts
  • Implement network segmentation to isolate the webPDF service from sensitive internal resources

Patch Information

SoftVision has addressed this vulnerability in webPDF version 10.0.2. Organizations should update to this version or later to remediate the SSRF vulnerability. The patch implements proper validation of resource URIs during document processing, restricting dangerous protocol handlers and preventing access to internal network resources.

For the latest security updates and patch information, consult the webPDF Service Overview page.

Workarounds

  • Configure network-level controls to block outbound connections from the webPDF server to internal network ranges and localhost
  • Disable or restrict support for XML and HTML file uploads if PDF conversion from these formats is not a business requirement
  • Implement a strict allowlist of permitted external domains for resource fetching during document conversion
  • Deploy the webPDF service in an isolated network segment with no access to internal services or sensitive file systems
bash
# Example: Network-level mitigation using iptables to block internal network access
# Block webPDF service from accessing internal networks
iptables -A OUTPUT -m owner --uid-owner webpdf -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner webpdf -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner webpdf -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner webpdf -d 127.0.0.0/8 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeSSRF
  • Vendor/TechSoftvision Webpdf
  • SeverityNONE
  • CVSS ScoreN/A
  • Known ExploitedNo
  • Impact Assessment
  • ConfidentialityNone
  • IntegrityNone
  • AvailabilityNone
  • Technical References
  • GitHub PoC Repository
  • WebPDF Service Overview
  • Latest CVEs
  • CVE-2026-40322: SiYuan Knowledge Management RCE Vulnerability
  • CVE-2026-40318: SiYuan Path Traversal Vulnerability
  • CVE-2026-40259: SiYuan Auth Bypass Vulnerability
  • CVE-2026-40255: AdonisJS HTTP Server CSRF Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English