pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
- Severity:
- High
Description
Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition.
Recommendation
Update the pdfmake package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.3.0-beta.1, < 0.3.0-beta.17
- Patched version(s): 0.3.0-beta.17
References
Related Issues
- Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass - CVE-2025-64525
- axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL - CVE-2025-27152
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values - CVE-2025-64765
- Tags:
- npm
- pdfmake
Anything's wrong? Let us know Last updated on October 08, 2025