Description
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules.
Recommendation
Update the pdfmake package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.3.0-beta.2, < 0.3.6
- Patched version(s): 0.3.6
References
Related Issues
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - uppy - CVE-2022-0086
- uppy's companion module is vulnerable to Server-Side Request Forgery (SSRF) - CVE-2022-0086
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads - CVE-2026-27567
You might also like:
- Tags:
- npm
- pdfmake
Anything's wrong? Let us know Last updated on March 19, 2026