CVE-2025-69627 — HIGH (8.4)

Vulnerability Description

Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated and then freed prematurely, after which the freed pointer is still passed into UI and logging helper functions. Because the freed memory region may contain unpredictable heap data or remnants of attacker-controlled JavaScript strings, downstream routines such as wcscmp() may process invalid or stale pointers. This can result in access violations and non-deterministic crashes.

CVSS Score

8.4

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Gonitro	Nitro Pdf Pro	14.41.1.4
Microsoft	Windows	-

Related Weaknesses (CWE)

CWE-416

References

http://nitro.comNot Applicable
https://jeroscope.com/advisories/2025/jero-2025-016/Third Party Advisory

FAQ

What is CVE-2025-69627?

CVE-2025-69627 is a vulnerability with a CVSS score of 8.4 (HIGH). Nitro PDF Pro for Windows 14.41.1.4 contains a heap use-after-free vulnerability in the implementation of the JavaScript method this.mailDoc(). During execution, an internal XID object is allocated an...

How severe is CVE-2025-69627?

CVE-2025-69627 has been rated HIGH with a CVSS base score of 8.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-69627?

Check the references section above for vendor advisories and patch information. Affected products include: Gonitro Nitro Pdf Pro, Microsoft Windows.