CVE-2025-69624

Nitro PDF Pro for Windows 14.41.1.4 contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
http://nitro.com	Not Applicable

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:gonitro:nitro_pdf_pro:14.41.1.4:*:*:*:*:*:*:*

cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

23 Apr 2026, 16:51

Type	Values Removed	Values Added
First Time		Microsoft Gonitro Gonitro nitro Pdf Pro Microsoft windows
References	~~() http://nitro.com -~~	() http://nitro.com - Not Applicable
CPE		cpe:2.3:a:gonitro:nitro_pdf_pro:14.41.1.4:::::::* cpe:2.3:o:microsoft:windows:-:::::::*

13 Apr 2026, 20:16

Type	Values Removed	Values Added
CWE		CWE-476
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

13 Apr 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-13 16:16

Updated : 2026-04-23 16:51

NVD link : CVE-2025-69624

Mitre link : CVE-2025-69624

CVE.ORG link : CVE-2025-69624

JSON object : View

Products Affected

microsoft

windows

gonitro

nitro_pdf_pro

CWE

CWE-476

NULL Pointer Dereference

7.5 /10