### Key Information #### Vulnerability Overview - **Vulnerability Type**: SSRF (Server-Side Request Forgery) - **Affected Package**: `stirling-pdf` (Maven) - **Affected Versions**: All versions - **Fixed Version**: 1.1.0 - **CVE ID**: CVE-2025-55161 - **CVSS v3 Base Metrics**: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: High - Integrity Impact: Low - Availability Impact: Low - **Severity**: High (8.6/10) #### Vulnerability Details - **Description**: When using the `/api/v1/convert/markdown/pdf` endpoint to convert Markdown to PDF, the backend invokes a third-party tool for processing and includes a security sanitizer. However, there is a flaw that can be bypassed, leading to an SSRF vulnerability. - **Source Code Location**: `stirling/software/SPDF/controller/api/converters/ConvertMarkdownToPdf.java` - **Vulnerable Point**: `stirling/software/SPDF/utils/FileToPdf.java` #### PoC (Proof of Concept) ```http POST /api/v1/convert/markdown/pdf HTTP/1.1 Host: 172.25.24.140:8080 Content-Length: 247 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.132 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvAfAbBmFpYrQfooK Accept: */* Origin: http://172.25.24.140:8080 Referer: http://172.25.24.140:8080/markdown-to-pdf Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie: JSESSIONID=node0dyLx4lgdtzxwixmnid8666ir1.node0 Connection: close ------WebKitFormBoundaryvAfAbBmFpYrQfooK Content-Disposition: form-data; name="fileInput"; filename="ssrf.md" Content-Type: application/octet-stream ------WebKitFormBoundaryvAfAbBmFpYrQfooK-- ``` #### Impact - Provides two links to articles introducing the principles and risks of SSRF.