CVE-2025-69624
Null Pointer Dereference in Nitro PDF Pro app.alert() Causes Crash
Publication date: 2026-04-13
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gonitro | nitro_pdf_pro | 14.41.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-476 | The product dereferences a pointer that it expects to be valid but is NULL. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Nitro PDF Pro for Windows version 14.41.1.4 and involves a NULL pointer dereference in the JavaScript implementation of the app.alert() function.
When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the program incorrectly processes this null value.
Specifically, the call is routed through a fallback path intended for non-string arguments, where a function js_ValueToString() is called on the null value and returns an invalid string pointer. This invalid pointer is then passed without validation to JS_GetStringChars(), leading to a NULL pointer dereference.
This causes an access violation and results in the application crashing when opening a specially crafted PDF.
How can this vulnerability impact me? :
This vulnerability can cause Nitro PDF Pro to crash unexpectedly when opening a maliciously crafted PDF file.
Such crashes can lead to denial of service, interrupting normal use of the application and potentially causing loss of unsaved work or disruption in workflows that rely on Nitro PDF Pro.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Nitro PDF Pro for Windows 14.41.1.4 is a NULL pointer dereference that causes an application crash when opening a crafted PDF. It does not directly impact confidentiality or integrity of data, as the CVSS score indicates no impact on confidentiality or integrity but a high impact on availability.
Since the vulnerability leads to a denial of service (application crash) without compromising data confidentiality or integrity, its effect on compliance with standards like GDPR or HIPAAβwhich primarily focus on protecting personal data confidentiality and integrityβis likely minimal or indirect.
However, availability is a component of many security frameworks, and repeated crashes could affect operational availability, which might have some compliance implications depending on the context of use.