### [CVE-2025-53626](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53626)
![](https://img.shields.io/static/v1?label=Product&message=pdfme&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=%3E%3D%205.2.0%2C%20%3C%205.4.1%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-1321%3A%20Improperly%20Controlled%20Modification%20of%20Object%20Prototype%20Attributes%20('Prototype%20Pollution')&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-79%3A%20Improper%20Neutralization%20of%20Input%20During%20Web%20Page%20Generation%20('Cross-site%20Scripting')&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=CWE-94%3A%20Improper%20Control%20of%20Generation%20of%20Code%20('Code%20Injection')&color=brightgreen)

### Description

pdfme is a TypeScript-based PDF generator and React-based UI. The expression evaluation feature in pdfme 5.2.0 to 5.4.0 contains critical vulnerabilities allowing sandbox escape leading to XSS and prototype pollution attacks. This vulnerability is fixed in 5.4.1.

### POC

#### Reference
- https://github.com/pdfme/pdfme/security/advisories/GHSA-54xv-94qv-2gfg

#### Github
No PoCs found on GitHub currently.