VYPR
← All advisories
High severityNVD Advisory· Published Oct 7, 2025· Updated Oct 9, 2025

CVE-2025-11362

CVE-2025-11362

Description

Versions of the package pdfmake before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

pdfmake before 0.3.0-beta.17 is vulnerable to denial of service via an infinite redirect loop in file embedding, allowing crash or service unavailability.

Vulnerability

Overview

CVE-2025-11362 is an uncontrolled resource consumption vulnerability in the pdfmake library, affecting versions before 0.3.0-beta.17. The root cause is the absence of limits or throttling on URL redirects when the library attempts to embed a file (e.g., an image) from a user-supplied URL. When a crafted URL that perpetually redirects is provided, pdfmake follows each redirect without any maximum-follow or recursion guard, leading to exponential resource consumption [1][3].

Exploitation

Scenario

An attacker can exploit this by submitting a PDF generation request that includes a maliciously crafted URL for an embedded resource. The attack requires no authentication beyond the normal application interface that passes URLs to pdfmake. The vulnerable library will attempt to fetch the URL, and upon encountering a redirect, it will follow the new location—which itself redirects again—creating an infinite loop of HTTP requests. This condition consumes increasing CPU time and memory on the server [3][4].

Impact

The immediate impact is denial of service: the server process can hang or crash, becoming unresponsive. In serverless environments (e.g., AWS Lambda), the exploit causes function timeouts and service unavailability, potentially leading to high operational costs due to repeated retries or time-billed compute usage. The vulnerability is classified under allocation of resources without limits or throttling and can be triggered repeatedly by a single crafted input [1][4].

Mitigation

The fix was released in pdfmake version 0.3.0-beta.17. Users are advised to upgrade to this version or later. Note that as a beta release, production deployment should follow the project's stability guidelines. No workarounds are documented; the only reliable mitigation is applying the patch [3][4].

References
  1. NVD - CVE-2025-11362
  2. Snyk Vulnerability Database | Snyk
  3. [VULNERABILITY] Uncontrolled Resource Consumption in pdfmake (CVE-2025-11362)

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
pdfmakenpm
>= 0.3.0-beta.1, < 0.3.0-beta.170.3.0-beta.17

Affected products

2
  • pdfmake/pdfmakedescription
  • Pdfmake/Pdfmakellm-fuzzy
    Range: <0.3.0-beta.17

Patches

1
741169634bf0

fixed `DoS via repeatedly redirect URL in file embedding`

https://github.com/bpampuch/pdfmakexryuseixApr 28, 2025via ghsa
commit
2 files changed · +14 3
  • CHANGELOG.md+4 0 modified
    @@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Fixed DoS via repeatedly redirect URL in file embedding
+
 ## 0.3.0-beta.16 - 2025-04-26
 
 - Update pdfkit to 0.17.0
  • src/URLResolver.js+10 3 modified
    @@ -1,7 +1,14 @@
 import http from 'http';
 import https from 'https';
 
-const fetchUrl = (url, headers = {}) => {
+const MAX_REDIRECTS = 30;
+
+const fetchUrl = (url, headers = {}, redirectCount = 0) => {
+	if (redirectCount >= MAX_REDIRECTS) {
+		return new Promise((_, reject) => {
+			reject(new Error(`Too many redirects (limit: ${MAX_REDIRECTS})`));
+		});
+	}
 	return new Promise((resolve, reject) => {
 		const parsedUrl = new URL(url);
 		const h = (parsedUrl.protocol === 'https:') ? https : http;
@@ -12,8 +19,8 @@ const fetchUrl = (url, headers = {}) => {
 		h.get(url, options, res => {
 			if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) { // redirect url
 				res.resume();
-				
-				fetchUrl(res.headers.location).then(buffer => {
+
+				fetchUrl(res.headers.location, {}, redirectCount + 1).then(buffer => {
 					resolve(buffer);
 				}, result => {
 					reject(result);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.