Apryse module SSRF & LFI

The Apryse HTML2PDF Module is an optional add-on for the Apryse SDK that can be used to convert HTML content into PDF documents. The API also supports converting HTML files, URLs, and HTML strings, as well as generating PDFs with an optional table of contents and custom-defined ordering.  

More details are available at Apryse docs.

The Stratascale Cybersecurity Research Unit (CRU) has discovered a Server-Side Request Forgery (SSRF) and Local File Inclusion (LFI) vulnerability in the Apryse Server SDK HTML2PDF component.  

Related Post 

CVE-2025-56590 – Apryse Server SDK HTML2PDF Argument Injection RCE. 

Impact 

The vulnerability could allow an attacker to read local files and/or induce the web application to send arbitrary HTTP requests. These vulnerabilities could compromise the confidentiality of data stored on the server or the integrity of the server by creating unauthorized remote requests. 

Remediation 

• The vendor has declined to recognize or address the vulnerability

• Vendor Advisory: N/A 

Tactical workaround

A simple workaround to prevent exploitation is to strictly sanitize any data sent to the PDF conversion functions to ensure that JavaScript, iframe, or other potential malicious code or tags are not interpreted by the HTML2PDF module. 

Walkthrough 

The HTML2PDF module provides a simple API for common programming languages to convert HTML into a PDF. For example, the following Python code sample passes a raw HTML string to the InsertFromHtmlString() function and calls the InsertFromURL() to download HTML from a web server. The HTML data is then transformed into a PDF via the Convert() function. 

The interesting part is what happens under the hood. The HTML data is processed through Headless Chromium to perform the conversion. When an HTML string is sent, the data is staged in a temporary file, and the file name is passed to headless chromium as a command line argument. When a URL is sent, it is also passed to headless chromium as a command line argument. Both methods produce a generated PDF file. 

Steps to reproduce 

There are many methods to test the HTML2PDF Server SDK. For this proof-of-concept, Anthony Morell of the Stratascale Penetration Test team developed a custom web application to illustrate the HTML2PDF vulnerabilities. Enter the following example of HTML formatted email to convert it to a PDF file.  

The backend application logs show a conversion being made with HTML2PDF. 

The PDF is then generated and viewable for the user. 

Sending in HTML with a crafted iframe tag will induce the chromium instance to send an HTTP GET request to the URL in the src attribute. 

When processed by the HTML2PDF module, the server makes the HTTP request and then converts the HTML email and the SSRF HTTP response into the resulting PDF file. 

Local files such as the /etc/passwd file can be retrieved as well using file:///etc/passwd for the source of the iframe. 

Proof of concept 

The following code snippet is a partial custom Python application that uses the HTML2PDF Server SDK component to create a PDF by calling the InsertFromHtmlString() function. 

import os 
from flask import Flask, request, send_file, render_template 
from apryse_sdk import PDFNet, HTML2PDF, PDFDoc, SDFDoc 
… 

# Initialize Apryse SDK 
PDFNet.Initialize(license_key) 

# Path to HTML2PDF module 
module_path = os.path.join(app.root_path, "HTML2PDFLinux") 

@app.route("/", methods=["GET", "POST"]) 
def index(): 
    if request.method == "POST": 
        html_content = request.form.get("html")  # RAW HTML from user 

        # Ensure static directory exists 
        output_dir = os.path.join(app.root_path, "static") 
        os.makedirs(output_dir, exist_ok=True) 
        output_path = os.path.join(output_dir, "output.pdf") 

        try: 
            doc = PDFDoc() 
            html2pdf = HTML2PDF() 

            # Tell Apryse where the Chromium module is 
            HTML2PDF.SetModulePath(module_path) 

            # Accept raw HTML string instead of URL 
            html2pdf.InsertFromHtmlString(html_content) 
            html2pdf.Convert(doc) 
            doc.Save(output_path, SDFDoc.e_linearized) 

            return send_file(output_path, as_attachment=True, download_name="output.pdf") 
        except Exception as e: 
            return f"<h3>Error: {e}</h3>" 

import os 
from flask import Flask, request, send_file, render_template 
from apryse_sdk import PDFNet, HTML2PDF, PDFDoc, SDFDoc 
… 

# Initialize Apryse SDK 
PDFNet.Initialize(license_key) 

# Path to HTML2PDF module 
module_path = os.path.join(app.root_path, "HTML2PDFLinux") 

@app.route("/", methods=["GET", "POST"]) 
def index(): 
    if request.method == "POST": 
        html_content = request.form.get("html")  # RAW HTML from user 

        # Ensure static directory exists 
        output_dir = os.path.join(app.root_path, "static") 
        os.makedirs(output_dir, exist_ok=True) 
        output_path = os.path.join(output_dir, "output.pdf") 

        try: 
            doc = PDFDoc() 
            html2pdf = HTML2PDF() 

            # Tell Apryse where the Chromium module is 
            HTML2PDF.SetModulePath(module_path) 

            # Accept raw HTML string instead of URL 
            html2pdf.InsertFromHtmlString(html_content) 
            html2pdf.Convert(doc) 
            doc.Save(output_path, SDFDoc.e_linearized) 

            return send_file(output_path, as_attachment=True, download_name="output.pdf") 
        except Exception as e: 
            return f"<h3>Error: {e}</h3>" 

The fix 

The vendor has not acknowledged the vulnerability or provided a patch. Because the SDK performs no sanitization, the issue can be mitigated by strongly sanitizing the data sent to the PDF conversion functions. If your applications display HTML, it is suggested to use a trusted HTML sanitizer first and apply output encoding where appropriate. 

Disclosure timeline 

2025-07-18 Initial report sent to vendor security@apryse.com. No response. 

2025-07-22 Follow-up email sent. No response. 

2025-07-31 Reached out to the vendor via their reporting form. 

2025-08-04 Vendor acknowledges initial report. 

2025-09-18 MITRE assigned CVEs for both (2) vulnerabilities. 

2025-09-22 Retested 11.7.0. confirmed vulnerabilities were not fixed. 

2025-09-22 Reached out to the vendor again about the initial report. No response. 

2026-01-21 Public disclosure. Blog published. 

Credit 

The CVE-2025-56589 – Apryse Server SDK HTML2PDF SSRF/LFI vulnerability was discovered and reported to Apryse by Anthony Morell of the Stratascale Cybersecurity Research Unit (CRU).