cbcvebase.
CVE-2025-55150
published 2025-08-11

CVE-2025-55150: Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.59%
72.6th percentile
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf endpoint to convert HTML to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
stirling-toolsstirling-pdf< 1.1.01.1.0
stirlingpdfstirling_pdf< 1.1.01.1.0

Detection & IOCsextracted from sources · hover to see the quote

url/api/v1/convert/html/pdf
  • Monitor for POST requests to /api/v1/convert/html/pdf with multipart/form-data content-type; SSRF exploitation will trigger outbound DNS callbacks (detectable via interactsh/OOB DNS) as the backend processes attacker-supplied HTML through a third-party tool after sanitizer bypass.
  • Detect exploitation by correlating a POST to /api/v1/convert/html/pdf with unexpected outbound DNS resolution originating from the Stirling-PDF server process — a successful SSRF bypass will cause the server to perform DNS lookups to attacker-controlled infrastructure.
  • The exploit payload is delivered as a multipart/form-data upload with boundary '----WebKitFormBoundaryavCUaFmKmcDEhMPU', a fileInput field with an .html filename, and a zoom field set to 1. Alert on this specific boundary string or the combination of an HTML file upload to the PDF conversion endpoint.
  • ·The SSRF sanitizer bypass requires attacker-crafted HTML content; the exact bypass technique (e.g., specific HTML/JS tags or URL schemes used to evade the sanitizer) is not disclosed in the available sources, limiting the ability to write precise content-based signatures.
  • ·The third-party backend tool invoked by the HTML-to-PDF conversion endpoint is not named in the available sources; identifying it would allow for more targeted process-level or network-level detection rules.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.