AIKIDO-2026-10337
pdfmake is vulnerable to Server-side Request Forgery (SSRF)
62
Medium Risk
This Affects:
pdfmakeTL;DR
Affected versions of pdfmake allow external resources such as fonts and images to be loaded from arbitrary URLs when generating PDF documents. If user-controlled input is used to construct the document definition, an attacker could supply crafted URLs that cause the server to perform unauthorized outbound requests, potentially accessing internal services or other restricted resources. This may lead to server-side request forgery (SSRF) in server-side deployments of the library. The issue is addressed by introducing a URL access policy mechanism (setUrlAccessPolicy()) that allows applications to restrict which external resources may be downloaded during PDF generation.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pdfmake is vulnerable to Server-side Request Forgery (SSRF) in versions 0.0.1 - 0.3.5.
How to fix this
Upgrade the pdfmake library to a patch version.
Links
GitHub Release
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant