CVE-2025-55161
published 2025-08-11CVE-2025-55161: Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.86%
76.7th percentile
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF. This issue has been patched in version 1.1.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| stirling-tools | stirling-pdf | < 1.1.0 | 1.1.0 |
| stirlingpdf | stirling_pdf | < 1.1.0 | 1.1.0 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
shodan-query: http.title:"Stirling PDF"
- →Monitor for POST requests to /api/v1/convert/markdown/pdf containing Markdown image tags with external URLs (SSRF via img src), especially with multipart/form-data bodies and .md file uploads. ↗
- →Detect out-of-band DNS/HTTP interactions triggered by the server after receiving a crafted Markdown file upload — indicative of successful SSRF exploitation via this endpoint. ↗
- →A successful exploit response will return HTTP 200 with Content-Type application/pdf after submitting the malicious Markdown payload. ↗
- →Unauthenticated attackers can exploit this endpoint — no authentication headers are required in the attack request. ↗
- ·The sanitizer intended to block SSRF can be bypassed; do not rely on the built-in sanitizer in pre-1.1.0 deployments as a security control. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.6HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Stirling-PDF SSRF via Markdown
nuclei·CVSS 9.8
CVE-2025-55161 [CRITICAL] Stirling-PDF SSRF via Markdown
Stirling-PDF SSRF via Markdown
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF.
Template:
id: CVE-2025-55161
info:
name: Stirling-PDF SSRF via Markdown
author: beginee
severity: high
description: |
Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization
No writeups or analysis indexed.
2025-08-11
Published
Exploited in the wild