Vulnerability [pdfmake]

[joaoviictorti]

Hello, everyone,

I hope you're well. I'm João Victor, a security researcher, and during my analysis of your applications, I identified a critical vulnerability in the pdfmake software.

I noticed that pdfmake has had a vulnerability documented previously, under the code CVE-2022-46161, related to improper use of the eval function. However, I found that even if you replace eval with Function, the application remains susceptible to attack, potentially resulting in remote code execution. Due to the public nature of this forum, I prefer not to detail the method here, but I am happy to demonstrate the vulnerability securely, preferably by email.

I have logged the flaw found and a new CVE has been assigned by MITRE, which is currently marked as reserved.

Although pdfmake is not making this file itself available for download via npm, the existence of this flaw in the GitHub repository represents a significant risk, since users can implement it without the proper precautions.

I would like to alert you to this issue so that you can adopt the most appropriate corrective measures. I am available to demonstrate exploitation of the flaw and discuss possible solutions by email or any other means of communication you prefer.

[liborm85]

You can send e-mail me (address is in my profile).

[joaoviictorti]

Thanks for the reply!

I've sent a message to your e-mail address.