CVE-2020-10909 in PhantomPDF
Summary
by MITRE
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF 9.7.0.29478. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of the AddWatermark command of the communication API. The issue results from the lack of proper validation of user-supplied data, which can result in a type confusion condition. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-9942.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/06/2026
CVE-2020-10909 represents a critical type confusion vulnerability within Foxit PhantomPDF version 9.7.0.29478 that enables remote code execution through improper input validation in the AddWatermark command of the communication API. This vulnerability falls under the CWE-843 category of type confusion, where the application fails to properly validate data types during processing operations. The flaw manifests when the software processes user-supplied parameters without adequate type checking, allowing an attacker to manipulate the execution flow by providing malicious input that confuses the type handling mechanisms of the application's memory management system.
The vulnerability requires user interaction to be exploited, meaning that an attacker must convince a target to visit a malicious webpage or open a specially crafted file containing the vulnerable AddWatermark command. This makes the attack vector particularly dangerous in phishing campaigns or when users are tricked into opening compromised documents. The attack leverages the communication API's insufficient validation of parameters passed to the watermark functionality, creating a condition where the application's internal type system becomes confused about the expected data types, potentially leading to memory corruption and arbitrary code execution within the context of the current process.
From an operational impact perspective, successful exploitation of this vulnerability allows attackers to execute malicious code with the privileges of the PhantomPDF application process, which typically runs with the same permissions as the user who launched the application. This could result in complete system compromise if the user has administrative privileges, enabling attackers to install malware, steal sensitive data, or establish persistent access to the compromised system. The vulnerability's remote exploitability through web-based attacks makes it particularly dangerous for enterprise environments where users may encounter malicious content in emails, web browsing sessions, or document sharing platforms.
The attack surface for this vulnerability aligns with the ATT&CK framework's technique T1203, which covers legitimate user access and privilege escalation through application misuse. Organizations should implement multiple layers of defense including network segmentation, web application firewalls, and regular security updates to mitigate this risk. The vulnerability's classification as a type confusion issue also relates to the broader category of memory safety issues that affect many PDF processing applications, highlighting the importance of robust input validation and proper memory management practices. Security patches for this vulnerability should be prioritized and deployed immediately, as the combination of remote exploitability and the requirement for minimal user interaction makes it a high-priority target for threat actors.