CVE-2025-69624: Nitro PDF Pro before 14.43 for Windows contains a NULL pointer dereference vulnerability in the JavaScript...
Nitro PDF Pro before 14.43 for Windows contains a NULL pointer dereference vulnerability in the JavaScript implementation of app.alert(). When app.alert() is called with more than one argument and the first argument evaluates to null (for example, app.alert(app.activeDocs, true) when app.activeDocs is null), the engine routes the call through a fallback path intended for non-string arguments. In this path, js_ValueToString() is invoked on the null value and returns an invalid string pointer, which is then passed to JS_GetStringChars() without validation. Dereferencing this pointer leads to an access violation and application crash when opening a crafted PDF. For example, 14.41.1.4 and 14.42.0.34 have been reported as vulnerable.
Security readout for executives and security teams
Plain-English summary
Nitro PDF Pro for Windows versions before 14.43 can crash when processing a malicious PDF that triggers a JavaScript app.alert() bug. The documented impact is availability loss, not data theft or code execution. Organizations using Nitro PDF Pro should prioritize updating because PDF readers are common phishing targets.
Executive priority
Treat as high priority for environments using Nitro PDF Pro, especially where staff receive external PDFs. The known impact is service disruption, but PDF-based delivery makes patching operationally important.
Technical view
The flaw is a NULL pointer dereference in Nitro PDF Pro’s JavaScript handling of app.alert(). A null first argument can enter a fallback string-conversion path, pass an invalid pointer onward, and cause an access violation. Reported vulnerable builds include 14.41.1.4 and 14.42.0.34.
Likely exposure
Exposure appears limited to Nitro PDF Pro for Windows before 14.43. Structured affected CPE data is absent in the bundle, so inventory should rely on installed product names and versions.
Exploitation context
No active exploitation is stated in the provided sources, and KEV is false. The source describes application crash when opening a crafted PDF, indicating a denial-of-service risk.
Researcher notes
Evidence supports a NULL pointer dereference and crash path, not code execution. The CVSS vector lists UI:N, while the description says the crash occurs when opening a crafted PDF; note this ambiguity during triage.
Mitigation direction
Upgrade Nitro PDF Pro for Windows to version 14.43 or later.
Review Nitro release notes and vendor guidance for any additional remediation advice.
Prioritize systems that open external or untrusted PDF attachments.
Limit automatic handling of untrusted PDFs until upgrades are complete.
Validation and detection
Inventory Nitro PDF Pro installations and record Windows version numbers.
Confirm no installed Nitro PDF Pro version is below 14.43.
Check email, endpoint, and document workflows for untrusted PDF exposure.
Review crash telemetry for Nitro PDF Pro access violations after PDF handling.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-476: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-476 · source CWE mapping
NULL Pointer Dereference
NULL Pointer Dereference represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.