CVE-2025-53626

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
GitHub_MCNA
6.1 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Common Weakness Enumeration
References
https://github.com/pdfme/pdfme/commit/0dd54739acff2c249ed68c001a896bee38f0fd85
https://github.com/pdfme/pdfme/security/advisories/GHSA-54xv-94qv-2gfg
https://github.com/pdfme/pdfme/security/advisories/GHSA-54xv-94qv-2gfg