CVE-2026-33438 Overview
CVE-2026-33438 is a Denial of Service (DoS) vulnerability affecting Stirling-PDF, a locally hosted web application designed for performing various operations on PDF files. The vulnerability exists in the watermark functionality exposed through the /api/v1/security/add-watermark endpoint. Authenticated users can exploit this flaw by providing extreme values for the fontSize and widthSpacer parameters, causing resource exhaustion and server crashes.
Critical Impact
Authenticated attackers can cause complete service disruption by exploiting improper resource allocation controls in the watermark API endpoint.
Affected Products
- Stirling-PDF versions 2.1.5 through 2.5.1
Discovery Timeline
- 2026-03-26 - CVE CVE-2026-33438 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33438
Vulnerability Analysis
This vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The watermark functionality in Stirling-PDF fails to properly validate and constrain user-supplied input parameters before allocating resources. When authenticated users submit requests to the /api/v1/security/add-watermark endpoint with excessively large values for fontSize and widthSpacer parameters, the application attempts to allocate memory and processing resources proportional to these extreme values without adequate bounds checking.
The network-accessible nature of this vulnerability combined with the low complexity required for exploitation makes it particularly concerning for organizations running Stirling-PDF instances accessible to multiple users or exposed to untrusted networks.
Root Cause
The root cause is improper input validation and the absence of resource allocation limits in the watermark generation functionality. The application does not enforce maximum thresholds for the fontSize and widthSpacer parameters, allowing authenticated users to specify arbitrarily large values that trigger excessive memory consumption or CPU utilization during the watermark rendering process.
Attack Vector
The attack is conducted over the network by authenticated users targeting the /api/v1/security/add-watermark endpoint. An attacker sends crafted HTTP requests with extreme parameter values, causing the server to exhaust available memory or CPU resources during watermark processing. This results in service degradation or complete server crashes, affecting all users of the Stirling-PDF instance.
The vulnerability requires authentication but no special privileges beyond basic user access to the watermark functionality. See the GitHub Security Advisory for additional technical details.
Detection Methods for CVE-2026-33438
Indicators of Compromise
- Unusual spikes in memory or CPU utilization on servers hosting Stirling-PDF
- HTTP POST requests to /api/v1/security/add-watermark with abnormally large fontSize or widthSpacer values
- Application crashes or unresponsiveness following watermark API requests
- Server out-of-memory (OOM) errors in system logs correlating with Stirling-PDF activity
Detection Strategies
- Monitor API logs for requests to the /api/v1/security/add-watermark endpoint containing parameter values exceeding reasonable thresholds
- Implement rate limiting and request size monitoring on the Stirling-PDF application endpoints
- Configure alerting for sudden increases in resource consumption tied to the Stirling-PDF process
- Deploy Web Application Firewall (WAF) rules to inspect and block requests with extreme numeric parameter values
Monitoring Recommendations
- Enable detailed logging for the Stirling-PDF application and correlate with system resource metrics
- Set up resource utilization thresholds that trigger alerts before complete exhaustion occurs
- Monitor for repeated failed or aborted requests to the watermark endpoint that may indicate exploitation attempts
How to Mitigate CVE-2026-33438
Immediate Actions Required
- Upgrade Stirling-PDF to version 2.5.2 or later immediately
- Review access controls to ensure only trusted users have access to the watermark functionality
- Implement network-level restrictions to limit access to the Stirling-PDF instance
- Monitor server resources for signs of exploitation attempts
Patch Information
The vulnerability has been addressed in Stirling-PDF version 2.5.2. The patch introduces proper input validation and resource allocation limits for the fontSize and widthSpacer parameters in the watermark functionality. Organizations should update to this version or later to remediate the vulnerability.
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Restrict access to the /api/v1/security/add-watermark endpoint using reverse proxy rules or application-level access controls
- Implement resource limits (memory and CPU) on the Stirling-PDF container or process using cgroups or container orchestration limits
- Deploy rate limiting on the watermark API endpoint to prevent rapid exploitation attempts
- Consider temporarily disabling the watermark functionality if it is not business-critical until patching is complete
# Example: Set container resource limits for Stirling-PDF using Docker
docker run -d \
--name stirling-pdf \
--memory="2g" \
--cpus="1.5" \
stirling-pdf:latest
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
