CVE-2025-69624
Published: 13 April 2026
Summary
CVE-2025-69624 is a high-severity NULL Pointer Dereference (CWE-476) vulnerability in Gonitro Nitro Pdf Pro. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-11 (Error Handling) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws like this NULL pointer dereference, directly mitigated by applying vendor patches for Nitro PDF Pro.
SI-11 mandates error handling that prevents security-compromising failures, such as gracefully managing null values in app.alert() to avoid crashes from invalid pointer dereferences.
SI-10 enforces input validation for untrusted data like crafted PDFs, checking syntax and content to block malformed JavaScript arguments triggering the fallback path vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
NULL pointer dereference in PDF JS handler enables remote delivery of crafted PDF to crash the application (Application or System Exploitation for DoS).
NVD Description
Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs…
more
is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF.
Deeper analysisAI
CVE-2025-69624 is a NULL pointer dereference vulnerability (CWE-476) in the JavaScript implementation of the app.alert() function within Nitro PDF Pro for Windows version 14.41.1.4. The flaw arises when app.alert() is invoked with more than one argument and the first argument evaluates to null, as in the case of app.alert(app.activeDocs, true) when app.activeDocs is null. This routes the call through a fallback path for non-string arguments, where js_ValueToString() produces an invalid string pointer from the null value. That pointer is then passed without validation to JS_GetStringChars(), resulting in dereference of an invalid address and an access violation that crashes the application upon opening a crafted PDF.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating it is exploitable over a network with low attack complexity, no privileges or user interaction required, and unchanged scope. Remote, unauthenticated attackers can deliver a specially crafted PDF file that triggers the NULL pointer dereference, achieving denial of service through abrupt termination of the Nitro PDF Pro application.
For details on mitigations, patches, or advisories, refer to the vendor reference at http://nitro.com.
Details
- CWE(s)