Vulnerability in Pdfkit
CVE-2022-25765
The package pdfkit from 0.0.0 are vulnerable to Command Injection where the URL is not properly sanitized.
EPSS: 0.888 (99.5th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P.
Affected products
- N/a Pdfkit — versions 0.0.0
Public proof-of-concept exploits
- UNICORDev/exploit-CVE-2022-25765
- PurpleWaveIO/CVE-2022-25765-pdfkit-Exploit-Reverse-Shell
- shamo0/PDFkit-CMD-Injection
- nikn0laty/PDFkit-CMD-Injection-CVE-2022-25765
- LordRNA/CVE-2022-25765
- Jeanback1/CVE-2022-25765-exploit
- lst15/pdfkit-cve-2022-25765
- lowercasenumbers/CVE-2022-25765
- lekosbelas/PDFkit-CMD-Injection
- Wai-Yan-Kyaw/PDFKitExploit
References
- security.snyk.io/vuln/SNYK-RUBY-PDFKIT-2869795
- github.com/pdfkit/pdfkit/blob/master/lib/pdfkit/source.rb#L44-L50
- github.com/pdfkit/pdfkit/blob/46cdf53ec540da1a1a2e4da979e3e5fe2f92a257/lib/pdfk…
- FEDORA-2022-6da143f1a2 (vendor-advisory)
- FEDORA-2022-3ec8272e72 (vendor-advisory)
- FEDORA-2022-c0d55cd527 (vendor-advisory)
- packetstormsecurity.com/files/171746/pdfkit-0.8.7.2-Command-Injection.html
Frequently asked questions
- What is CVE-2022-25765?
- CVE-2022-25765 is a high-severity vulnerability in Pdfkit. CVSS score: 7.3/10. Published 2022-09-09.
- How severe is CVE-2022-25765?
- High severity. CVSS v3 base score is 7.3 out of 10.
- Is CVE-2022-25765 known to be exploited?
- 28 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.