{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-69627", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-04-14T16:30:15.973Z", "dateReserved": "2026-01-09T00:00:00.000Z", "datePublished": "2026-04-13T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T15:16:10.135Z"}, "descriptions": [{"lang": "en", "value": "Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "http://nitro.com"}, {"url": "https://jeroscope.com/advisories/2025/jero-2025-016/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-416", "lang": "en", "description": "CWE-416 Use After Free"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:39:52.327437Z", "id": "CVE-2025-69627", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:30:15.973Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.4, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2025-69627", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:39:52.327437Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:40:19.774Z"}}], "cna": {"affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "references": [{"url": "http://nitro.com"}, {"url": "https://jeroscope.com/advisories/2025/jero-2025-016/"}], "descriptions": [{"lang": "en", "value": "Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "n/a"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-13T15:16:10.135Z"}}}, "cveMetadata": {"cveId": "CVE-2025-69627", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:30:15.973Z", "dateReserved": "2026-01-09T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2026-04-13T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes."}], "id": "CVE-2025-69627", "lastModified": "2026-04-14T17:16:26.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-13T16:16:24.867", "references": [{"source": "cve@mitre.org", "url": "http://nitro.com"}, {"source": "cve@mitre.org", "url": "https://jeroscope.com/advisories/2025/jero-2025-016/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": ["windows"], "status": "affected", "versions": {"scheme": "generic", "value": "14.41.1.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "n/a", "source": "cna", "vendor": "n/a"}, "product": "pdf_pro", "vendor": "nitro"}], "analysis": {"en": {"generated_at": "2026-04-13T16:26:55.428211+00:00", "value": {"mitigation_remediation": ["Check for and apply any available Nitro PDF Pro update that fixes the heap use\u2011after\u2011free bug.", "If a patch cannot be applied immediately, disable JavaScript execution for PDFs or avoid opening untrusted documents that may call the vulnerable method.", "Monitor Nitro\u2019s official website and security advisories for a formal fix, and test the patched version in a controlled environment before deployment.", "Perform a risk assessment of any critical workflows that rely on Nitro PDF Pro and consider sandboxing or isolation of PDF viewing for the affected version."], "summary": {"action": "Update Software", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Only Nitro PDF Pro for Windows 14.41.1.4 appears to be affected. The product is a desktop PDF reader and editor that runs on Windows. No other versions are listed in the available data, but any similar builds that contain the same implementation may also be vulnerable until the vendor releases a fix.", "description_and_impact": "The bug is a heap use\u2011after\u2011free that occurs in Nitro PDF Pro for Windows 14.41.1.4 when the JavaScript method this.mailDoc() is executed. An internal XID object is allocated and then freed prematurely; the invalid pointer is still passed into user\u2011interface and logging routines that may call functions such as wcscmp() on stale data. Because the memory contains unpredictable content from an earlier payload, the application can trigger an access violation and crash. The primary consequence is a denial\u2011of\u2011service; there is no evidence that an attacker can obtain code execution or read confidential data. The weakness is a classic use\u2011after\u2011free flaw (CWE\u2011416).", "risk_and_exploitability": "No CVSS or EPSS score is available, so the severity cannot be quantified precisely. The vulnerability can be triggered by a malicious PDF containing JavaScript that invokes this.mailDoc(); therefore the attack requires that a user opens a crafted document on the victim\u2019s machine. The impact is local denial of service through application crashes. The bug is not listed in CISA\u2019s KEV catalog, indicating that it is not a widely known or mass\u2011exploited vulnerability at this time. Until a patch is available, the threat to an organization is primarily the risk of intermittent service disruptions when opening potentially malicious documents."}}}}, "created": "2026-04-14T16:21:59.967317+00:00", "title": "Use\u2011After\u2011Free in this.mailDoc() Leads to Crash in Nitro PDF Pro", "updated": "2026-04-14T16:35:49.560411+00:00", "vendors": ["nitro", "nitro$PRODUCT$pdf_pro"], "weaknesses": ["CWE-416"]}