Threatscape

High – 8.8

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

PT-2025-12: Deserialization of Untrusted Data in HTML2PDF

Error type:

CWE-502:Deserialization of Untrusted Data

Vulnerability vector:

Base vulnerability score (CVSSv4.0): CVSS:4.0/ AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N
Severity (CVSSv4.0): 8.8 (high)

Description:

The vulnerability was identified in HTML2PD, version 5.3.0.

The discovered vulnerability allows an attacker to create objects of arbitrary classes, fully controlling their properties, thus modify the logic of the web application.

Vulnerability status: Confirmed by vendor

Date of vulnerability remediation: 26.02.2025

Recommendations:

Update to version or higher

Additional information:

Researcher: Aleksey Solovev (Positive Technologies)

Vendor:

SPIPU

Vulnerable product:

HTML2PDF

Vulnerable versions:

5.3.0