CVE-2025-53626: @pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation

July 10, 2025

The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks.

References

github.com/advisories/GHSA-54xv-94qv-2gfg
github.com/pdfme/pdfme
github.com/pdfme/pdfme/pull/1117
github.com/pdfme/pdfme/releases/tag/5.4.1
github.com/pdfme/pdfme/security/advisories/GHSA-54xv-94qv-2gfg
nvd.nist.gov/vuln/detail/CVE-2025-53626

Code Behaviors & Features

Detect and mitigate CVE-2025-53626 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →