CVE-2025-11362: pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding

October 7, 2025 (updated October 8, 2025)

Versions of the package pdfmake from 0.3.0-beta.1 to before 0.3.0-beta.17 are vulnerable to Allocation of Resources Without Limits or Throttling via repeatedly redirect URL in file embedding. An attacker can cause the application to crash or become unresponsive by providing crafted input that triggers this condition.

References

github.com/advisories/GHSA-rj3r-r7hh-jxfq
github.com/bpampuch/pdfmake
github.com/bpampuch/pdfmake/commit/741169634bf07730e010cd77477b6cc038e846ed
github.com/bpampuch/pdfmake/issues/2886
nvd.nist.gov/vuln/detail/CVE-2025-11362
security.snyk.io/vuln/SNYK-JS-PDFMAKE-10223297

Code Behaviors & Features

Detect and mitigate CVE-2025-11362 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →