AIKIDO-2026-10975
pdfmake is vulnerable to Path Traversal
59
Medium Risk
This Affects:
pdfmakeTL;DR
On Node.js, pdfmake resolves files, attachment, font, and image sources from document definitions and can read local filesystem paths through pdfkit without applying any local access policy. When callers pass attacker-influenced paths into those fields, the generated PDF can embed arbitrary server files and leak their contents. Before the fix, setUrlAccessPolicy also checked only the initial HTTP URL while fetch followed redirects, so a permitted URL could redirect to an internal or disallowed target. Version 0.3.8 adds setLocalAccessPolicy, validates local paths before reads, and re-checks URL policy on every redirect hop and on the final redirected URL.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
pdfmake is vulnerable to Path Traversal in versions 0.3.0 - 0.3.7.
How to fix this
Upgrade the pdfmake library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant