Can you explain this vulnerability to me?

CVE-2026-33438 is a Denial of Service (DoS) vulnerability in the Stirling-PDF web application, specifically in its watermark functionality accessed via the `/api/v1/security/add-watermark` endpoint.

The vulnerability occurs because the application uses user-controlled parameters `fontSize` and `widthSpacer` without proper validation to calculate how many watermark repetitions to render on a PDF page.

When extremely small values for `fontSize` (e.g., 0.00000001) and zero for `widthSpacer` are provided, the calculations for watermark dimensions result in very large numbers of watermark rows and columns. This causes nested loops to perform an extremely high number of expensive rendering operations, leading to massive CPU and memory consumption.

As a result, the server resources are exhausted, causing the application to crash and become unavailable. There is no input validation or bounds checking to prevent this behavior.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can cause a Denial of Service (DoS) condition on the Stirling-PDF server.

• Exhaustion of CPU and memory resources due to excessive watermark rendering operations.
• Server crashes and service unavailability, affecting all users of the application.
• Potential disruption of business operations relying on the Stirling-PDF service.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for unusual resource consumption or server crashes when authenticated users access the `/api/v1/security/add-watermark` endpoint of Stirling-PDF versions 2.1.5 up to 2.5.1.

A practical detection method is to look for POST requests to the `/api/v1/security/add-watermark` endpoint with extremely small values for the `fontSize` parameter and zero or very small values for the `widthSpacer` parameter.

Example command to detect suspicious requests in web server logs (assuming logs contain JSON payloads):

• grep -i '/api/v1/security/add-watermark' /var/log/access.log | grep -E '"fontSize":0\.00000001|"widthSpacer":0'

Additionally, monitoring system resource usage (CPU, memory) spikes correlated with these requests can help identify exploitation attempts.

If you have access to the application environment, you can also test by sending a crafted POST request with extreme values to see if the server becomes unresponsive.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade Stirling-PDF to version 2.5.2 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, restrict or block access to the `/api/v1/security/add-watermark` endpoint for authenticated users who do not require watermark functionality.

Implement input validation or filtering at the web server or application firewall level to reject requests with extremely small or zero values for `fontSize` and `widthSpacer` parameters.

Monitor system resource usage closely to detect and respond to potential exploitation attempts quickly.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability in Stirling-PDF causes a Denial of Service (DoS) by exhausting server resources, leading to service unavailability. However, it does not impact confidentiality or integrity of data.

Since there is no confidentiality or integrity impact, the vulnerability does not directly expose personal or sensitive data, which are primary concerns under regulations like GDPR or HIPAA.

Nevertheless, the availability impact could affect compliance with standards that require continuous availability of services, potentially leading to indirect compliance issues if critical services are disrupted.

Useful 0 Not Useful 0