CVE-2025-55150
published 2025-08-11CVE-2025-55150: Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
1.59%
72.6th percentile
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/html/pdf endpoint to convert HTML to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stirling-tools | stirling-pdf | < 1.1.0 | 1.1.0 |
| stirlingpdf | stirling_pdf | < 1.1.0 | 1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for POST requests to /api/v1/convert/html/pdf with multipart/form-data content-type; SSRF exploitation will trigger outbound DNS callbacks (detectable via interactsh/OOB DNS) as the backend processes attacker-supplied HTML through a third-party tool after sanitizer bypass. ↗
- →Detect exploitation by correlating a POST to /api/v1/convert/html/pdf with unexpected outbound DNS resolution originating from the Stirling-PDF server process — a successful SSRF bypass will cause the server to perform DNS lookups to attacker-controlled infrastructure. ↗
- →The exploit payload is delivered as a multipart/form-data upload with boundary '----WebKitFormBoundaryavCUaFmKmcDEhMPU', a fileInput field with an .html filename, and a zoom field set to 1. Alert on this specific boundary string or the combination of an HTML file upload to the PDF conversion endpoint. ↗
- ·The SSRF sanitizer bypass requires attacker-crafted HTML content; the exact bypass technique (e.g., specific HTML/JS tags or URL schemes used to evade the sanitizer) is not disclosed in the available sources, limiting the ability to write precise content-based signatures. ↗
- ·The third-party backend tool invoked by the HTML-to-PDF conversion endpoint is not named in the available sources; identifying it would allow for more targeted process-level or network-level detection rules. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
Nuclei
Stirling-PDF < 1.1.0 - Server-Side Request Forgery
nuclei·CVSS 9.8
CVE-2025-55150 [CRITICAL] Stirling-PDF < 1.1.0 - Server-Side Request Forgery
Stirling-PDF Stirling PDF")'
internal: true
- raw:
- |
POST /api/v1/convert/html/pdf HTTP/1.1
Host: {{Hostname}}
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryavCUaFmKmcDEhMPU
------WebKitFormBoundaryavCUaFmKmcDEhMPU
Content-Disposition: form-data; name="fileInput"; filename="{{username}}.html"
Content-Type: text/html
Content-Disposition: form-data; name="zoom"
1
------WebKitFormBoundaryavCUaFmKmcDEhMPU--
matchers:
- type: dsl
dsl:
- "contains(interactsh_protocol,'dns')"
- "contains(body,'%PDF-1.7')"
condition: and
# digest: 4b0a00483046022100bf498e06c2c62d701cee255531bf4743382e9115fd54e0bb86b72763bb6a2b97022100bfca1697034a546dbf4dec481f9096058fb7dc888ae7f98f3192138b0069ca86:922c64590222798bb761d5b6d8e72950
No writeups or analysis indexed.
2025-08-11
Published