CVE-2021-21796Use After Free in Nitro PRO

CWE-416Use After Free8 documents5 sources
Severity
7.8HIGHNVD
EPSS
75.5%
top 1.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Gonitro Nitro PRO
Timeline
PublishedOct 18
Latest updateOct 21

Description

An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF. A specially crafted document can cause an object containing the path to a document to be destroyed and then later reused, resulting in a use-after-free vulnerability, which can lead to code execution under the context of the application. An attacker can convince a user to open a document to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

CVEListV5gonitro/nitro_proNitro Pro 13.31.0.605,Nitro Pro 13.33.2.645
NVDgonitro/nitro_pro13.31.0.605, 13.33.2.645+1

🔴Vulnerability Details

5
OSV
linux-aws vulnerabilities2025-10-21
OSV
linux-aws, linux-lts-xenial vulnerabilities2025-10-02
OSV
linux, linux-kvm vulnerabilities2025-10-02
GHSA
GHSA-xv8q-fw76-648m: An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF2022-05-24
CVEList
CVE-2021-21796: An exploitable use-after-free vulnerability exists in the JavaScript implementation of Nitro Pro PDF2021-10-18

🕵️Threat Intelligence

2
Talos
Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF2021-10-14
Talos
Vulnerability Spotlight: Code execution vulnerabilities in Nitro Pro PDF2021-10-14
CVE-2021-21796 — Use After Free in Gonitro Nitro PRO | cvebase