CVE-2025-11362: 
JavaScript vulnerability analysis and mitigation

CVE-2025-11362 affects the pdfmake package versions before 0.3.0-beta.17. The vulnerability was discovered by Ryusei Ishikawa and was disclosed on April 29, 2025, with publication occurring on October 6, 2025. This security issue involves an Allocation of Resources Without Limits or Throttling vulnerability that occurs via repeatedly redirect URL in file embedding (Snyk, NVD).

The vulnerability is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). It has received a CVSS v4.0 base score of 8.7 (High) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability can be exploited remotely with low attack complexity and requires no privileges or user interaction (Snyk).

When successfully exploited, this vulnerability allows an attacker to cause the application to crash or become unresponsive by providing crafted input that triggers the resource allocation condition. The primary impact is on system availability, with no direct effect on confidentiality or integrity (Snyk).

The vulnerability has been fixed in version 0.3.0-beta.17 of pdfmake. Users are advised to upgrade to this version or later to address the security issue. The fix implements a maximum redirect limit of 30 to prevent unlimited redirections (GitHub).