CVE-2025-56589
BaseFortify
Publication date: 2026-01-22
Last updated on: 2026-02-02
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apryse | html2pdf | to 11.7.0 (inc) |
| apryse | html2pdf | 11.10.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-56589 is a vulnerability in the Apryse HTML2PDF SDK's InsertFromHtmlString() function that involves both Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF). It occurs because the SDK processes HTML content using Headless Chromium without sufficient sanitization. An attacker can craft malicious HTML input containing iframe tags or file URIs that cause the server to read local files or make arbitrary HTTP requests to internal or external systems. This can lead to unauthorized disclosure of sensitive data or potential system compromise. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to read sensitive local files on the server or force the server to make arbitrary HTTP requests to internal or external services. These actions can lead to exposure of confidential data and potentially allow attackers to further exploit the system, risking data confidentiality and server integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-56589 involves monitoring for unusual or unauthorized HTTP requests initiated by the server, especially those triggered by the HTML2PDF SDK processing HTML input. Since the vulnerability arises from malicious iframe tags or file URI references in HTML input, inspecting logs for such patterns or unexpected Chromium command-line arguments may help. However, no specific detection commands are provided in the resources. A practical approach is to test the system with crafted HTML inputs containing iframe tags or file URIs to see if local files or external requests are made during PDF generation. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include strictly sanitizing all HTML input sent to the PDF conversion functions of the Apryse HTML2PDF SDK. This involves removing or neutralizing JavaScript, iframe tags, and other potentially malicious code before processing. Using trusted HTML sanitizers and output encoding is strongly advised. Since the vendor has declined to patch the vulnerability, input sanitization remains the primary defense to prevent exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability could lead to unauthorized disclosure of sensitive data due to Local File Inclusion (LFI) and Server-Side Request Forgery (SSRF) attacks, which may compromise data confidentiality and system integrity. Such data exposure risks can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information and preventing unauthorized access. Therefore, organizations using the affected Apryse HTML2PDF SDK module may face compliance challenges if this vulnerability is exploited. [1]