CVE-2025-53626 – pdfme has Sandbox Escape and Prototype Pollution vulnerabilities in pdfme expression evaluation

https://notcve.org/view.php?id=CVE-2025-53626

10 Jul 2025 — pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1. • https://github.com/pdfme/pdfme/commit/0dd54739acff2c249ed68c001a896bee38f0fd85 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') •