@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation

Severity:: Medium

Description

The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks.

Recommendation

Update the @pdfme/common package to the latest compatible version. Followings are version details:

Affected version(s): >= 5.2.0, < 5.4.1
Patched version(s): 5.4.1

References

GHSA-54xv-94qv-2gfg
CVE-2025-53626
CWE-1321
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

min-document vulnerable to prototype pollution - CVE-2025-57352
rollbar vulnerable to prototype pollution - CVE-2025-57325
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs - CVE-2025-62374
counterpart vulnerable to prototype pollution - CVE-2025-57354

How to Secure your NodeJs Express Javascript Application - part 1

How do hackers hack websites?

CSRF, XXE, and 12 Other Security Acronyms Explained

Tags:: npm; @pdfme/common

Anything's wrong? Let us know Last updated on July 10, 2025