PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled
- Severity:
- Medium
Description
The getB64BasePdf function in @pdfme/common fetches arbitrary URLs via fetch() without any validation when basePdf is a non-data-URI string and window is defined. An attacker who can control the basePdf field of a template (e.g.
Recommendation
Update the @pdfme/common package to the latest compatible version. Followings are version details:
- Affected version(s): <= 5.5.9
- Patched version(s): 5.5.10
References
Related Issues
- auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs - Vulnerability
- @utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol - CVE-2026-45366
- i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
- Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection - Vulnerability
You might also like:
- Tags:
- npm
- @pdfme/common
Anything's wrong? Let us know Last updated on March 20, 2026