CVE-2025-11362 is a vulnerability classified under CWE-770 (Allocation of Resources Without Limits or Throttling) affecting the pdfmake package, specifically versions before 0.3.0-beta.17. Pdfmake is a widely used JavaScript library for generating PDF documents in web applications. The vulnerability arises from the way pdfmake handles file embedding, particularly when URLs are repeatedly redirected. An attacker can craft input that triggers continuous resource allocation without any throttling or limits, leading to excessive memory or CPU consumption. This can cause the application to crash or become unresponsive, effectively resulting in a denial-of-service (DoS) condition. The CVSS 4.0 vector indicates that the attack can be performed remotely (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and no authentication (AT:N). The vulnerability impacts availability heavily (VA:H) but does not affect confidentiality or integrity. No known exploits are currently in the wild, but the high severity and ease of exploitation make it a critical concern for applications relying on pdfmake for PDF generation. The lack of patch links suggests that users must upgrade to the fixed version 0.3.0-beta.17 once available or apply vendor-recommended mitigations.

For European organizations, the primary impact is on service availability. Applications that dynamically generate PDFs using vulnerable pdfmake versions can be targeted to cause denial-of-service, disrupting business operations, customer-facing services, or internal workflows. This can lead to downtime, loss of productivity, and potential reputational damage. Industries relying heavily on document generation, such as finance, legal, healthcare, and government services, may experience significant operational impact. Additionally, resource exhaustion attacks can increase infrastructure costs due to overconsumption of CPU and memory. While confidentiality and integrity are not directly impacted, the disruption of critical services can indirectly affect compliance with regulations such as GDPR if service availability is compromised. The absence of required authentication or user interaction means attackers can exploit this vulnerability at scale, increasing the risk for organizations with exposed PDF generation endpoints.

1. Upgrade pdfmake to version 0.3.0-beta.17 or later as soon as it becomes available to ensure the vulnerability is patched. 2. Implement strict input validation on all file embedding inputs to prevent maliciously crafted URLs that trigger repeated redirects. 3. Apply rate limiting and throttling mechanisms on PDF generation endpoints to limit the number of requests and resource consumption per user or IP address. 4. Monitor application logs and resource usage metrics for unusual spikes in CPU or memory consumption related to PDF generation processes. 5. Use web application firewalls (WAFs) to detect and block suspicious patterns of repeated URL redirects or excessive PDF generation requests. 6. Isolate PDF generation services in separate containers or environments with resource quotas to contain potential denial-of-service impacts. 7. Educate development teams about secure usage of third-party libraries and the importance of timely patching.