CVE-2025-69627
Published: 13 April 2026
Summary
CVE-2025-69627 is a high-severity Use After Free (CWE-416) vulnerability in Gonitro Nitro Pdf Pro. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 0.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-18 (Mobile Code) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the heap use-after-free vulnerability in Nitro PDF Pro by requiring timely application of vendor patches or updates.
Implements memory protection mechanisms such as heap integrity checks and address space randomization to mitigate exploitation of the use-after-free leading to memory corruption.
Restricts or blocks execution of JavaScript mobile code in PDF viewers, preventing invocation of the vulnerable this.mailDoc() method.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
UAF in PDF JS handler enables client-side memory corruption/RCE when malicious PDF is processed.
NVD Description
Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into…
more
UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes.
Deeper analysisAI
CVE-2025-69627 is a heap use-after-free vulnerability (CWE-416) in Nitro PDF Pro for Windows version 14.41.1.4. The flaw occurs in the implementation of the JavaScript method this.mailDoc(), where an internal XID object is allocated and then freed prematurely. The freed pointer is subsequently passed into UI and logging helper functions, which may process unpredictable heap data or remnants of attacker-controlled JavaScript strings. This leads downstream routines, such as wcscmp(), to handle invalid or stale pointers, resulting in access violations and non-deterministic crashes.
The vulnerability carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited by a local attacker requiring no privileges or user interaction, with low attack complexity and unchanged scope. Exploitation can achieve high impacts on confidentiality, integrity, and availability, potentially through the processing of stale pointers in a way that enables broader memory corruption beyond crashes.
Advisories providing further details, including potential mitigations or patches, are available from the vendor at http://nitro.com and from Jeroscope at https://jeroscope.com/advisories/2025/jero-2025-016/.
Details
- CWE(s)