Apryse server argument injection RCE  

The Apryse HTML2PDF Module is an optional add-on for the Apryse SDK that can be used to convert HTML content into PDF documents. The API also supports converting HTML files, URLs, and HTML strings, as well as generating PDFs with an optional table of contents and custom-defined ordering.   

More details are available at Apryse docs.

The Stratascale Cybersecurity Research Unit (CRU) has discovered an Argument Injection RCE vulnerability in the Apryse Server SDK HTML2PDF component.  

Related post 

CVE-2025-56589 – Apryse Server SDK HTML2PDF Server-Side Request Forgery (SSRF) / Local File Inclusion (LFI). 

Impact 

The vulnerability could allow an attacker to execute arbitrary operating system commands on the server. 

Remediation 

• The vendor has declined to recognize or address the vulnerability 

• Vendor Advisory: N/A 

Tactical workaround 

A simple workaround to prevent exploitation is to confirm any data sent to the PDF conversion functions is strictly sanitized, so the value cannot be interpreted by the HTML2PDF module as a command line argument. 

Walkthrough 

The HTML2PDF module provides a simple API for most common programming languages to convert HTML into a PDF. For example, the following Python code sample passes a raw HTML string to the InsertFromHtmlString() function and calls the InsertFromURL() function to download HTML from a web server. The HTML data is then transformed into a PDF via the Convert() function. 

The interesting part is what happens under the hood. The HTML data is processed through Headless Chromium to perform the conversion. When a URL is sent, it is also passed to headless chromium as a command line argument. 

The vulnerability is exploitable if the calling application does not strictly sanitize and enforce the format of the URL. Chromium supports several command line arguments that can execute arbitrary commands. A crafted string passed to the InsertFromURL() function can result in command execution as the application user.  

Steps to reproduce 

Pass the following URL string into the InsertFromURL() function and save the PDF file. When processed by the HTML2PDF module, the application executes headless chromium in the background.  

--renderer-cmd-prefix=/bin/sh -c /bin/id 

--renderer-cmd-prefix=/bin/sh -c /bin/id 

The backend application logs show the output of the /bin/id command being executed. The vulnerability was also verified to be exploitable on Windows. 

The fix 

The vendor has not acknowledged the vulnerability or provided a patch. Because the SDK performs no sanitation, the issue can be mitigated by strongly sanitizing the data sent to the PDF conversion functions. If your applications display html, it is suggested to utilize a trusted HTML sanitizer first and apply output encoding where appropriate. 

Disclosure timeline 

2025-07-18 Initial report sent to the vendor security@apryse.com. No response. 

2025-07-22 Follow-up email sent. No response. 

2025-07-31 Reached out to the vendor via their reporting form. 

2025-08-04 The vendor acknowledges initial report. 

2025-09-18 MITRE assigned CVEs for both (2) vulnerabilities. 

2025-09-22 Retested 11.7.0. confirmed vulnerabilities were not fixed. 

2025-09-22 Reached out to the vendor again about initial report. No response. 

2026-01-21 Public disclosure. Blog published. 

Credit 

The CVE-2025-56590 – Apryse Server SDK HTML2PDF Argument Injection RCE vulnerability was discovered and reported to Apryse by Rich Mirch of the Stratascale Cybersecurity Research Unit (CRU).