Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre) · only source for this CVE.
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
6DescriptionCVE.org
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF.
AnalysisAI
Nitro PDF Pro 14.41.1.4 for Windows crashes when processing maliciously crafted PDFs that invoke app.alert() with null arguments, causing denial of service through NULL pointer dereference in the JavaScript engine. Remote attackers can deliver weaponized PDF files requiring no authentication or user interaction beyond opening the document (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (2nd percentile), indicating low real-world targeting despite theoretical automation potential.
Technical ContextAI
This vulnerability affects the JavaScript engine embedded in Nitro PDF Pro, specifically the implementation of the Document Object Model (DOM) method app.alert(). The flaw occurs in a fallback code path designed to handle non-string arguments passed to app.alert(). When the first argument evaluates to null (such as app.activeDocs in a PDF without active documents), the engine invokes js_ValueToString() on the null value, which returns an invalid string pointer. This invalid pointer is subsequently passed to JS_GetStringChars() without null-check validation, triggering a NULL pointer dereference when the function attempts to access memory at address zero or an unmapped region. The vulnerability is classified as CWE-476 (NULL Pointer Dereference), a common software defect where code fails to validate pointer values before dereferencing them. PDF files can embed JavaScript that executes when the document is opened, making this a vector for automated denial-of-service attacks against users or systems processing untrusted PDFs.
RemediationAI
Organizations running Nitro PDF Pro 14.41.1.4 for Windows should immediately check for vendor security updates at http://nitro.com and apply the latest patched version when available. No vendor-released patch version has been independently confirmed from available data at time of analysis, so users should monitor the Nitro Software security advisory page for official remediation guidance. As an interim mitigation, organizations processing untrusted PDFs should implement sandboxing or isolation technologies to limit crash impact, disable JavaScript execution in PDF processing workflows if business requirements allow, or substitute alternative PDF readers that are not affected by this vulnerability for automated document processing pipelines. Email security gateways and document management systems should add behavioral detection rules to identify and quarantine PDFs containing suspicious app.alert() JavaScript invocations with null arguments. For interactive users, the primary mitigation is user awareness training to avoid opening PDFs from untrusted sources until patches are deployed.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-476 – NULL Pointer Dereference
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209417
GHSA-rrjx-h7jp-ggmg