16 Zero-Day Vulnerabilities in Popular PDF Platforms Enable Code Execution and Data Exfiltration - CybersecurityNews

Home Cyber Security 16 Zero-Day Vulnerabilities in Popular PDF Platforms Enable Code Execution and Data... PDF Zero-Day Vulnerabilities 16 zero-day vulnerabilities, including critical OS Command Injection, DOM-based XSS, SSRF, and Path Traversal flaws across Apryse WebViewer (formerly PDFTron) and Foxit PDF cloud services, affecting millions of enterprise users worldwide. The disclosure from Novee Security showcases its AI-augmented human-agent research workflow to demonstrate scalable zero-day discovery across widely deployed, complex PDF platforms. Both Apryse and Foxit were notified under responsible disclosure, and patches or mitigations have been coordinated prior to publication. Attack Surface and Research Method Apryse WebViewer operates across three distinct layers: a React-based UI iframe accepting untrusted input from query strings, postMessage, remote JSON configuration, and URL fragments; a JavaScript/WebAssembly document engine handling parsing and rendering; and a server-side SDK for HTML-to-PDF conversion and thumbnail generation. Crafted annotation (Source – Novee) Each layer represents a distinct trust boundary, and failures to validate input crossing those boundaries formed the root cause of the discovered vulnerabilities. Novee’s discovery methodology combined human researcher intuition with an AI agent swarm. Researchers first manually identified foundational vulnerability patterns, then encoded that reasoning into three specialized agents: Tracer (sink enumeration and backward source-to-sink chain mapping), Resolver (control flow and validation boundary analysis), and Bypass (PoC construction and exploitability proof), enabling systematic coverage of the entire attack surface at scale. The most severe finding is a Critical OS Command Injection (CVSS 9.8) in the Foxit PDF SDK for Web’s Node.js signature server. The md parameter from the POST request body is passed directly via string concatenation into process.execSync(), with a switch statement that lacks a default case, allowing arbitrary shell metacharacters to survive unmodified. A single unauthenticated POST request was sufficient to achieve full remote code execution, confirmed via fs_usage process traces showing attacker-injected curl spawning as a child of the Node.js process. An SSRF vulnerability (CVE-2025-70400, High) in Apryse WebViewer’s server-side iFrame rendering component enables attackers to make the server fetch and render arbitrary attacker-controlled content, exposing internal network access and metadata. CVE-2025-70402 (Critical) exploits a trust boundary failure in Apryse WebViewer’s uiConfig query parameter, which is fetched as a remote URL, parsed as JSON, and applied to the UI. A malicious glyph field injected via the uiConfig JSON flows into dangerouslySetInnerHTML in Icon.js without sanitization. Standard DOMParser mitigations using image/svg+xml strip conventional onload and <script> payloads, but a <foreignObject> bypass preserves HTML event handlers by switching parse context, allowing execution via <svg><foreignObject><img src=x onerror=alert(1)></foreignObject></svg>. Novee leveraged this to achieve a one-click account takeover in a client proof-of-value engagement. CVE-2025-70401 (High) is a Stored DOM XSS via the PDF annotation /T (author) field. The malicious author string flows through WebViewer’s Core layer into React’s internal he() DOM reconciliation helper, which assigns it directly to innerHTML without encoding — executing on every state change that triggers component re-render, such as a user typing in the comment field. CVE-2025-66500 (Medium) affects Foxit’s webplugins.foxit.com embedded calculator component, whose postMessage handler validates t.data.origin — a fully attacker-controlled JSON field instead of the browser-enforced event.origin. This allows any page to inject a remote <script> tag into the trusted Foxit domain by simply including "origin": "FoxitApp" in the crafted message payload. Bypass – one POST, full RCE (Source – Novee) A High-severity Path Traversal in Foxit’s Collaboration Add-on (CVSS 7.5) allows unauthenticated directory listing via the username query parameter, concatenated without sanitization into fs.readdir(). A single GET request — GET /collab/api/files/list?username=../../../../etc — returned full /etc/ directory listings including passwd, hosts, and os-release. Rounding out the disclosure are 10 additional Stored XSS vulnerabilities across Foxit’s platform, spanning the Portfolio feature, Page Templates, Layer Import, Predefined Text, Trusted Certificates, Digital ID Common Name, Attachments, and eSign subdomains — plus a WAF bypass variant in the Collaboration feature. # Vendor Vulnerability Severity CVE ID 1 Apryse DOM XSS via uiConfig Critical CVE-2025-70402 2 Apryse DOM XSS via annotation author field High CVE-2025-70401 3 Apryse Full-read SSRF via iFrame rendering High CVE-2025-70400 4 Foxit DOM XSS via postMessage handler Medium CVE-2025-66500 5 Foxit Stored XSS via Portfolio feature Medium CVE-2025-66520 6 Foxit Stored XSS in Page Templates Medium CVE-2025-66501 7 Foxit Stored XSS in Layer Import Medium CVE-2025-66502 8 Foxit Stored XSS in Predefined Text Medium CVE-2025-66519 9 Foxit Stored XSS via Trusted Certificates Medium CVE-2025-66521 10 Foxit Stored XSS via Digital ID Common Name Medium CVE-2025-66522 11 Foxit Three Reflected XSS in na1.foxitesign.foxit.com Medium CVE-2025-66523 12 Foxit Stored XSS via Attachments Feature Medium CVE-2026-1591 13 Foxit Stored XSS via Create New Layer Field Medium CVE-2026-1592 14 Foxit Path Traversal in Collaboration feature High Not assigned 15 Foxit Stored XSS (WAF Bypass) via Collaboration feature Medium Not assigned 16 Foxit OS Command Injection in PDF SDK for Web Critical Not assigned Users and enterprise teams relying on Apryse WebViewer or Foxit PDF SDK for Web should apply available patches immediately, audit server-side signature server deployments for the missing default case in switch-based input validation, and enforce strict Content-Security-Policy and postMessage origin validation across all embedded PDF components. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. RELATED ARTICLESMORE FROM AUTHOR Cyber Security News IBM Uncovers ‘Slopoly,’ Likely AI-Generated Malware Used in Hive0163 Ransomware Attack Cyber Security News Qihoo 360 Leaked Its Own Wildcard SSL Private Key Inside Public AI Installer Cyber Security News Fake FileZilla Downloads Lead to RAT Infections Through Stealthy Multi-Stage Loader Top 10 Essential E-Signature Solutions for Cybersecurity in 2026 January 31, 2026 Top 10 Best Data Removal Services In 2026 January 29, 2026 Best VPN Services of 2026: Fast, Secure & Affordable January 26, 2026 Top 10 Best Data Security Companies in 2026 January 23, 2026 Top 15 Best Ethical Hacking Tools – 2026 January 15, 2026