CVE-2025-55313

EUVD-2025-202707

11.12.2025, 16:16

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. They allow potential arbitrary code execution when processing crafted PDF files. The vulnerability stems from insufficient handling of memory allocation failures after assigning an extremely large value to a form field's charLimit property via JavaScript. This can result in memory corruption and may allow an attacker to execute arbitrary code by persuading a user to open a malicious file.

Code Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 2%

Affected Products (NVD)

Vendor	Product	Version
foxit	pdf_editor	2023.1.0.15510 ≤ 𝑥 ≤ 2023.3.0.23028
foxit	pdf_editor	2024.1.0.23997 ≤ 𝑥 ≤ 2024.4.1.27687
foxit	pdf_editor	2025.1.0.27937
foxit	pdf_reader	𝑥 ≤ 2025.1.0.27937
foxit	pdf_editor	𝑥 ≤ 13.1.7.63027
foxit	pdf_editor	2023.1.0.55583 ≤ 𝑥 ≤ 2023.3.0.63083
foxit	pdf_editor	2024.1.0.63682 ≤ 𝑥 ≤ 2024.4.1.66479
foxit	pdf_editor	2025.1.0.66692
foxit	pdf_reader	𝑥 ≤ 2025.1.0.66692

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-94 - Improper Control of Generation of Code ('Code Injection')
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References

https://www.foxit.com/support/security-bulletins.html