CVE-2024-25180 identifies a critical remote code execution (RCE) vulnerability in pdfmake version 0.2.9, a popular JavaScript library used for generating PDF documents. The vulnerability exists in the /pdf endpoint, which processes POST requests. Attackers can craft malicious POST requests that exploit improper input validation or unsafe code execution paths, allowing arbitrary code execution on the server hosting pdfmake. This vulnerability is classified under CWE-94 (Improper Control of Generation of Code), indicating that user-supplied input is executed as code without sufficient sanitization or validation. Notably, the /pdf endpoint is not part of the standard pdfmake distribution but is exposed only when a separate test framework is installed alongside pdfmake. This test framework is intended for authorized testing purposes and is not meant for production environments. The vulnerability is disputed because the endpoint's behavior is considered intentional within the test framework context. The CVSS v3.1 base score of 9.8 reflects the vulnerability's high severity, with attack vector Network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability (C:H/I:H/A:H). No patches or fixes have been published yet, and no known exploits have been observed in the wild. The risk primarily arises if the test framework is inadvertently exposed to untrusted networks, allowing remote attackers to leverage this endpoint for code execution.

If exploited, this vulnerability could allow remote attackers to execute arbitrary code on servers running pdfmake 0.2.9 with the test framework enabled, leading to full system compromise. This includes unauthorized access to sensitive data, modification or deletion of files, disruption of services, and potential pivoting to other internal systems. Because no authentication or user interaction is required, the attack surface is broad if the vulnerable endpoint is exposed externally. Organizations using pdfmake in development or testing environments without proper network segmentation or access controls face significant risk. The impact extends to confidentiality, integrity, and availability of affected systems, potentially causing severe operational and reputational damage. However, the threat is mitigated if the test framework is restricted to trusted internal networks and not exposed to the internet or untrusted users.

To mitigate this vulnerability, organizations should ensure that the /pdf endpoint exposed by the test framework is never accessible from untrusted networks. Network-level controls such as firewalls and VPNs should restrict access strictly to authorized testers. Remove or disable the test framework in production environments to eliminate the attack surface entirely. Implement strict access controls and authentication mechanisms around any testing interfaces. Monitor network traffic and logs for suspicious POST requests targeting the /pdf endpoint. If possible, upgrade to a pdfmake version that does not include this test framework or apply vendor patches once available. Conduct regular security reviews of development and testing environments to ensure no unintended exposure. Additionally, consider containerizing or isolating testing environments to limit the blast radius of any potential compromise.