Description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules.
Recommendation
Update the pdfmake package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.3.0-beta.2, < 0.3.6
- Patched version(s): 0.3.6
References
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) (GHSA-x8rq-rc7x-5fg5) - CVE-2022-0086
- Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads - CVE-2026-27567
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Tags:
- npm
- pdfmake
Anything's wrong? Let us know Last updated on March 19, 2026