CVE-2019-20819

Vulnerability

Foxit Reader and PhantomPDF before version 9.7 contain a vulnerability where recursive or deeply nested function calls during XML parsing can exhaust the call stack [1]. This occurs when a specially crafted PDF file triggers complex XML structures, causing the parser to call itself repeatedly without proper depth control.

Exploitation

An attacker must convince a user to open a malicious PDF file using an affected version of Foxit Reader or PhantomPDF [1]. No special network position or authentication is required beyond delivering the file, typically via email attachment or web download. Once the file is opened, the XML parsing engine enters a deep call chain, consuming stack memory until the application crashes or becomes unresponsive.

Impact

Successful exploitation results in a denial of service (DoS) condition [1]. The application terminates unexpectedly or freezes, preventing the user from accessing or processing PDF content. No data disclosure, file modification, or remote code execution is described in the available references.

Mitigation

Foxit released version 9.7 which addresses this issue [1]. Users should update to Foxit Reader 9.7 or PhantomPDF 9.7 or later. No workarounds are documented in the references. This CVE is not listed in the Known Exploited Vulnerabilities (KEV) catalog as of writing.