EUVD-2025-209417
GHSA-rrjx-h7jp-ggmg
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionNVD
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF.
AnalysisAI
Nitro PDF Pro 14.41.1.4 for Windows crashes when processing maliciously crafted PDFs that invoke app.alert() with null arguments, causing denial of service through NULL pointer dereference in the JavaScript engine. Remote attackers can deliver weaponized PDF files requiring no authentication or user interaction beyond opening the document (AV:N/AC:L/PR:N/UI:N). No public exploit identified at time of analysis, with EPSS exploitation probability at 0.01% (2nd percentile), indicating low real-world targeting despite theoretical automation potential.
Technical ContextAI
This vulnerability affects the JavaScript engine embedded in Nitro PDF Pro, specifically the implementation of the Document Object Model (DOM) method app.alert(). The flaw occurs in a fallback code path designed to handle non-string arguments passed to app.alert(). When the first argument evaluates to null (such as app.activeDocs in a PDF without active documents), the engine invokes js_ValueToString() on the null value, which returns an invalid string pointer. This invalid pointer is subsequently passed to JS_GetStringChars() without null-check validation, triggering a NULL pointer dereference when the function attempts to access memory at address zero or an unmapped region. The vulnerability is classified as CWE-476 (NULL Pointer Dereference), a common software defect where code fails to validate pointer values before dereferencing them. PDF files can embed JavaScript that executes when the document is opened, making this a vector for automated denial-of-service attacks against users or systems processing untrusted PDFs.
RemediationAI
Organizations running Nitro PDF Pro 14.41.1.4 for Windows should immediately check for vendor security updates at http://nitro.com and apply the latest patched version when available. No vendor-released patch version has been independently confirmed from available data at time of analysis, so users should monitor the Nitro Software security advisory page for official remediation guidance. As an interim mitigation, organizations processing untrusted PDFs should implement sandboxing or isolation technologies to limit crash impact, disable JavaScript execution in PDF processing workflows if business requirements allow, or substitute alternative PDF readers that are not affected by this vulnerability for automated document processing pipelines. Email security gateways and document management systems should add behavioral detection rules to identify and quarantine PDFs containing suspicious app.alert() JavaScript invocations with null arguments. For interactive users, the primary mitigation is user awareness training to avoid opening PDFs from untrusted sources until patches are deployed.
Share
External POC / Exploit Code
Leaving vuln.today