CVE-2025-66495
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-19

Last updated on: 2025-12-23

Assigner: Foxit

Description
A use-after-free vulnerability exists in the annotation handling of Foxit PDF Reader before 2025.2.1, 14.0.1, and 13.2.1 on Windows and MacOS. When opening a PDF containing specially crafted JavaScript, a pointer to memory that has already been freed may be accessed or dereferenced, potentially allowing a remote attacker to execute arbitrary code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-23
Generated
2026-05-07
AI Q&A
2025-12-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-66495
EUVD
EUVD-2025-204465
Affected Vendors & Products
Showing 14 associated CPEs
Vendor Product Version / Range
foxit pdf_editor to 13.2.1.23955 (inc)
foxit pdf_editor From 14.0.0.33046 (inc) to 14.0.1.33197 (inc)
foxit pdf_editor From 2023.1.0.15510 (inc) to 2023.3.0.23028 (inc)
foxit pdf_editor From 2024.1.0.23997 (inc) to 2024.4.1.27687 (inc)
foxit pdf_editor From 2025.1.0.27937 (inc) to 2025.2.1.33197 (inc)
foxit pdf_reader to 2025.2.1.33197 (inc)
microsoft windows *
foxit pdf_editor to 13.2.1.63315 (inc)
foxit pdf_editor From 14.0.0.33046 (inc) to 14.0.1.69005 (inc)
foxit pdf_editor From 2023.1.0.15510 (inc) to 2023.3.0.63083 (inc)
foxit pdf_editor From 2024.1.0.23997 (inc) to 2024.4.1.66479 (inc)
foxit pdf_editor From 2025.1.0.27937 (inc) to 2025.2.1.69005 (inc)
foxit pdf_reader to 2025.2.1.69005 (inc)
apple macos *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?

Update Foxit PDF Reader to version 2025.2.1, 14.0.1, 13.2.1 or later on Windows and MacOS to fix the use-after-free vulnerability in annotation handling. Avoid opening PDF files from untrusted sources that may contain specially crafted JavaScript.


Can you explain this vulnerability to me?

This vulnerability is a use-after-free issue in the annotation handling of Foxit PDF Reader on Windows and MacOS versions before 2025.2.1, 14.0.1, and 13.2.1. It occurs when opening a PDF containing specially crafted JavaScript, which causes the program to access or dereference a pointer to memory that has already been freed. This can potentially allow a remote attacker to execute arbitrary code on the affected system.


How can this vulnerability impact me? :

The vulnerability can allow a remote attacker to execute arbitrary code on your system by tricking you into opening a malicious PDF file. This could lead to unauthorized control over your device, data theft, system compromise, or further malware installation.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart