Foxit Pdf Services Api
Monthly
Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.
Server-side request forgery in the Foxit PDF Services API (cloud offering) lets a remote attacker supply a crafted URL that the backend fetches, coercing the server into making requests to attacker-chosen internal or external destinations. Because the service processes documents and URLs on behalf of clients, this can be abused to reach cloud metadata endpoints, internal-only services, and network zones normally shielded from the public internet, potentially disclosing credentials or sensitive data. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 8th percentile), consistent with CISA SSVC scoring exploitation as 'none'.