By rssfeeds-admin .webp?ssl=1 "16 Zero-Day Vulnerabilities in Popular PDF Platforms Enable Code Execution and Data Exfiltration")
The disclosure from Novee Security showcases its AI-augmented human-agent research workflow to demonstrate scalable zero-day discovery across widely deployed, complex PDF platforms.
Both Apryse and Foxit were notified under responsible disclosure, and patches or mitigations have been coordinated prior to publication.
Attack Surface and Research Method
Apryse WebViewer operates across three distinct layers: a React-based UI iframe accepting untrusted input from query strings, postMessage, remote JSON configuration, and URL fragments; a JavaScript/WebAssembly document engine handling parsing and rendering; and a server-side SDK for HTML-to-PDF conversion and thumbnail generation.
Each layer represents a distinct trust boundary, and failures to validate input crossing those boundaries formed the root cause of the discovered vulnerabilities.
Novee’s discovery methodology combined human researcher intuition with an AI agent swarm. Researchers first manually identified foundational vulnerability patterns, then encoded that reasoning into three specialized agents: Tracer (sink enumeration and backward source-to-sink chain mapping), Resolver (control flow and validation boundary analysis), and Bypass (PoC construction and exploitability proof), enabling systematic coverage of the entire attack surface at scale.
The most severe finding is a Critical OS Command Injection (CVSS 9.8) in the Foxit PDF SDK for Web’s Node.js signature server. The md parameter from the POST request body is passed directly via string concatenation into process.execSync(), with a switch statement that lacks a default case, allowing arbitrary shell metacharacters to survive unmodified.
A single unauthenticated POST request was sufficient to achieve full remote code execution, confirmed via fs_usage process traces showing attacker-injected curl spawning as a child of the Node.js process.
An SSRF vulnerability (CVE-2025-70400, High) in Apryse WebViewer’s server-side iFrame rendering component enables attackers to make the server fetch and render arbitrary attacker-controlled content, exposing internal network access and metadata.
CVE-2025-70402 (Critical) exploits a trust boundary failure in Apryse WebViewer’s uiConfig query parameter, which is fetched as a remote URL, parsed as JSON, and applied to the UI. A malicious glyph field injected via the uiConfig JSON flows into dangerouslySetInnerHTML in Icon.js without sanitization.
Standard DOMParser mitigations using image/svg+xml strip conventional onload and <script> payloads, but a <foreignObject> bypass preserves HTML event handlers by switching parse context, allowing execution via <svg><foreignObject><img src=x onerror=alert(1)></foreignObject></svg>. Novee leveraged this to achieve a one-click account takeover in a client proof-of-value engagement.
CVE-2025-70401 (High) is a Stored DOM XSS via the PDF annotation /T (author) field. The malicious author string flows through WebViewer’s Core layer into React’s internal he() DOM reconciliation helper, which assigns it directly to innerHTML without encoding — executing on every state change that triggers component re-render, such as a user typing in the comment field.
CVE-2025-66500 (Medium) affects Foxit’s webplugins.foxit.com embedded calculator component, whose postMessage handler validates t.data.origin — a fully attacker-controlled JSON field instead of the browser-enforced event.origin. This allows any page to inject a remote <script> tag into the trusted Foxit domain by simply including "origin": "FoxitApp" in the crafted message payload.
A High-severity Path Traversal in Foxit’s Collaboration Add-on (CVSS 7.5) allows unauthenticated directory listing via the username query parameter, concatenated without sanitization into fs.readdir(). A single GET request — GET /collab/api/files/list?username=../../../../etc — returned full /etc/ directory listings including passwd, hosts, and os-release.
Rounding out the disclosure are 10 additional Stored XSS vulnerabilities across Foxit’s platform, spanning the Portfolio feature, Page Templates, Layer Import, Predefined Text, Trusted Certificates, Digital ID Common Name, Attachments, and eSign subdomains — plus a WAF bypass variant in the Collaboration feature.
| # | Vendor | Vulnerability | Severity | CVE ID |
|---|---|---|---|---|
| 1 | Apryse | DOM XSS via uiConfig |
Critical | CVE-2025-70402 |
| 2 | Apryse | DOM XSS via annotation author field | High | CVE-2025-70401 |
| 3 | Apryse | Full-read SSRF via iFrame rendering | High | CVE-2025-70400 |
| 4 | Foxit | DOM XSS via postMessage handler |
Medium | CVE-2025-66500 |
| 5 | Foxit | Stored XSS via Portfolio feature | Medium | CVE-2025-66520 |
| 6 | Foxit | Stored XSS in Page Templates | Medium | CVE-2025-66501 |
| 7 | Foxit | Stored XSS in Layer Import | Medium | CVE-2025-66502 |
| 8 | Foxit | Stored XSS in Predefined Text | Medium | CVE-2025-66519 |
| 9 | Foxit | Stored XSS via Trusted Certificates | Medium | CVE-2025-66521 |
| 10 | Foxit | Stored XSS via Digital ID Common Name | Medium | CVE-2025-66522 |
| 11 | Foxit | Three Reflected XSS in na1.foxitesign.foxit.com |
Medium | CVE-2025-66523 |
| 12 | Foxit | Stored XSS via Attachments Feature | Medium | CVE-2026-1591 |
| 13 | Foxit | Stored XSS via Create New Layer Field | Medium | CVE-2026-1592 |
| 14 | Foxit | Path Traversal in Collaboration feature | High | Not assigned |
| 15 | Foxit | Stored XSS (WAF Bypass) via Collaboration feature | Medium | Not assigned |
| 16 | Foxit | OS Command Injection in PDF SDK for Web | Critical | Not assigned |
Users and enterprise teams relying on Apryse WebViewer or Foxit PDF SDK for Web should apply available patches immediately, audit server-side signature server deployments for the missing default case in switch-based input validation, and enforce strict Content-Security-Policy and postMessage origin validation across all embedded PDF components.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post 16 Zero-Day Vulnerabilities in Popular PDF Platforms Enable Code Execution and Data Exfiltration appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.