External risk intelligence

Apryse HTML2PDF InsertFromURL Command Execution

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2025-56590

The vulnerability resides in an SDK function used for document conversion. While it can be integrated into internet-facing applications to process user-provided URLs, the SDK is a library component rather than a standalone edge service. Its public exposure depends entirely on how developers implement the library within their own specific application architecture.

OS Command Injection

Apryse Html2pdf

11.5.011.7.011.10.0

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in the Apryse HTML2PDF SDK that could allow an attacker to run unauthorized commands on a server. The issue is within a function used to process URLs during document conversion, potentially impacting any system that integrates this SDK for such tasks. The primary concern is confirming whether this specific SDK function is used and exposed in a way that would permit external access.

  • A server command execution flaw exists.
  • It affects document conversion via SDK integration.
  • Confirm if our systems use this SDK function.

Attack Path

How an attacker could exploit the issue

An attacker can reach the vulnerable InsertFromURL() function through a network connection to a server utilizing the Apryse HTML2PDF SDK. This function's flaw could allow an attacker to execute arbitrary commands on the server, potentially leading to a complete system compromise.

  • Network access to server required.
  • Vulnerable function triggered by attacker input.
  • Leads to arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server when the InsertFromURL() function is used to process attacker-controlled URLs.

  • Operating system commands on the server.
  • Attacker-controlled URLs processed by the SDK.
  • Server compromise and arbitrary code execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in the Apryse HTML2PDF SDK's `InsertFromURL()` function could allow remote code execution on the server. Responsibility for addressing this likely falls to the application owners who integrated the SDK, with support from platform or infrastructure teams. The first step is to identify all instances where this SDK is deployed, confirm its reachability and business criticality, and then assign ownership for remediation planning based on the identified risk.

  • Application owners should manage the issue.
  • Verify SDK integration and exposure.
  • Plan remediation based on criticality.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Apryse HTML2PDF SDK?

Apryse HTML2PDF is a software development kit used by programmers to convert web content into PDF documents. It is typically integrated as a library within larger applications, such as web servers or automated document generation tools, to handle rendering tasks for users.

What does CVE-2025-56590 mean for system security?

This vulnerability is classified as CWE-78, or OS Command Injection. It means an attacker can manipulate the software to run unauthorized commands directly on the host server's operating system, essentially tricking the application into performing actions it was never intended to do.

How is this command injection vulnerability triggered?

The flaw is triggered when the affected InsertFromURL() function processes a URL controlled by an attacker. It is not triggered by simply having the SDK installed; the vulnerability requires an application to actively use this specific function to fetch and process external web content provided by untrusted users.

Do I need to worry if my Apryse SDK is internal?

According to Halo Surface Signal, risk depends on how developers implement the library. While the SDK is a component, not an edge service, applications that expose this conversion function to the public internet are at higher risk. Internal-only tools may have a smaller attack surface, but risk remains if any user can influence the URL input.

What are the first steps for managing this issue?

First, conduct an inventory to locate where the Apryse HTML2PDF SDK is used in your environment. Confirm if your custom code calls the InsertFromURL() function and whether that input is accessible to users. Once located, work with the application owners to assess the integration's reachability and prioritize security updates or configuration changes.

References