CVE-2025-69627
Use-After-Free in Nitro PDF Pro JavaScript Method Causes Crashes
Publication date: 2026-04-13
Last updated on: 2026-04-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gonitro | nitro_pdf_pro | 14.41.1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-416 | The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-69627 is a use-after-free vulnerability in Nitro PDF Pro version 14.41.1.4. It occurs in the JavaScript method this.mailDoc() when processing a crafted PDF. During execution, an internal XID object is allocated and then prematurely freed, but the program continues to use the freed pointer in UI and logging functions. This use of a dangling pointer can cause undefined behavior such as access violations or crashes, especially during string comparison operations.
How can this vulnerability impact me? :
This vulnerability can cause Nitro PDF Pro to crash or behave unpredictably when opening a malicious PDF that triggers the this.mailDoc() method. The use-after-free condition may lead to access violations, resulting in application instability or denial of service. An attacker could exploit this by crafting a PDF that causes the application to crash, potentially disrupting normal use.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for crashes or access violations in Nitro PDF Pro version 14.41.1.4 when opening PDFs that invoke the JavaScript method this.mailDoc(). Specifically, if a PDF triggers this.mailDoc(), the application may crash due to use-after-free errors.
Detection can involve opening suspicious or untrusted PDFs in a controlled environment and observing for crashes or abnormal behavior related to this.mailDoc().
Since the vulnerability is triggered by the JavaScript method this.mailDoc(), you can also scan PDF files for embedded JavaScript code that calls this.mailDoc().
- Use a PDF analysis tool or script to search for the string "this.mailDoc()" inside PDF files.
- Example command using grep on a collection of PDFs: grep -r --include="*.pdf" "this.mailDoc()" /path/to/pdf/files
- Monitor application logs or Windows Event Viewer for Nitro PDF Pro crashes or access violation errors.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to apply the vendor-provided patch released on February 2, 2026, which fixes the use-after-free vulnerability in Nitro PDF Pro version 14.41.1.4.
Until the patch can be applied, avoid opening untrusted or suspicious PDF files that may contain JavaScript invoking this.mailDoc().
Consider disabling JavaScript execution within Nitro PDF Pro if the application settings allow it, to prevent exploitation via malicious JavaScript.
Monitor Nitro PDF Pro for crashes and investigate any abnormal behavior promptly.