CVE-2025-59803 is a signature spoofing vulnerability affecting Foxit PDF Editor and Reader versions before 2025.2.1. The flaw arises because the software allows embedded triggers, such as JavaScript, within PDF documents to execute during the signing process. When a signer reviews the document, the visible content appears legitimate and unchanged. However, once the digital signature is applied, these embedded triggers activate and modify content on other pages or optional content layers without any explicit warning or indication to the signer. This behavior effectively means the signed PDF can differ from what the signer reviewed and approved, breaking the fundamental trust model of digital signatures. The vulnerability exploits the dynamic content capabilities of PDFs and the insufficient validation or locking of document state at signing time. The issue was reserved in September 2025 and published in December 2025, with no known exploits reported in the wild yet. The vendor has addressed the vulnerability in versions 2025.2.1, 14.0.1, and 13.2.1. This vulnerability poses a significant risk to document integrity and non-repudiation, especially in environments where PDFs are used for contracts, legal documents, or compliance records. Attackers could leverage this to perpetrate fraud, alter agreements post-signature, or undermine legal evidence.

For European organizations, the impact of CVE-2025-59803 is substantial, particularly in sectors relying heavily on digitally signed PDF documents such as legal, financial, government, and healthcare. The vulnerability undermines the integrity and non-repudiation guarantees of digital signatures, potentially allowing attackers to alter signed documents after approval without detection. This can lead to fraudulent contracts, unauthorized changes to official records, and legal disputes. The trustworthiness of electronic document workflows is compromised, which may also affect compliance with EU regulations like eIDAS that govern electronic signatures and trust services. Organizations may face reputational damage, financial losses, and regulatory penalties if exploited. The absence of known exploits currently provides a window for proactive mitigation, but the ease of embedding JavaScript in PDFs and the widespread use of Foxit products increase the risk of future exploitation. The vulnerability affects confidentiality less directly but severely impacts integrity and availability of trustworthy document workflows.

European organizations should immediately upgrade Foxit PDF Editor and Reader to versions 2025.2.1, 14.0.1, or 13.2.1 to remediate this vulnerability. Beyond patching, organizations should implement strict PDF document handling policies that include scanning incoming and outgoing PDFs for embedded scripts or suspicious triggers using specialized PDF security tools. Training users to recognize suspicious PDF behaviors and enforcing signing workflows that include manual or automated verification of document integrity post-signature can reduce risk. Consider restricting the use of JavaScript in PDFs or disabling script execution in PDF readers where feasible. Organizations should also audit existing signed documents for signs of post-signature modifications and maintain detailed logs of signing events. For high-risk environments, adopting alternative secure signing solutions that cryptographically lock the entire document state at signing time can provide stronger guarantees. Regularly monitoring threat intelligence feeds for emerging exploits related to this vulnerability is advised.