CVE-2025-55314

EUVD-2025-202708

11.12.2025, 16:16

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. When pages in a PDF are deleted via JavaScript, the application may fail to properly update internal states. Subsequent annotation management operations assume these states are valid, causing dereference of invalid or released memory. This can lead to memory corruption, application crashes, and potentially allow an attacker to execute arbitrary code.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADP	ADP	7.8 HIGH	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
foxit	pdf_editor	𝑥 ≤ 13.1.7.23637
foxit	pdf_editor	2023.1.0.15510 ≤ 𝑥 ≤ 2023.3.0.23028
foxit	pdf_editor	2024.1.0.23997 ≤ 𝑥 ≤ 2024.4.1.27687
foxit	pdf_editor	2025.1.0.27937
foxit	pdf_reader	𝑥 ≤ 2025.1.0.27937

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-476 - NULL Pointer Dereference
A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

References

https://www.foxit.com/support/security-bulletins.html