CVE-2025-53626 MEDIUM

CVE-2025-53626: pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

Vendor Pdfme
Product pdfme
Weakness CWE-94 · Code injection
Published July 10, 2025
Last update July 10, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.

Key dates

02Disclosure timeline

July 10, 2025 CVE published
July 10, 2025 Record updated