CVE-2023-35985 in Foxit
Summary
by MITRE • 11/27/2023
An arbitrary file creation vulnerability exists in the Javascript exportDataObject API of Foxit Reader 12.1.3.15356 due to a failure to properly validate a dangerous extension. A specially crafted malicious file can create files at arbitrary locations, which can lead to arbitrary code execution. An attacker needs to trick the user into opening the malicious file to trigger this vulnerability. Exploitation is also possible if a user visits a specially-crafted malicious site if the browser plugin extension is enabled.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/04/2026
The vulnerability identified as CVE-2023-35985 represents a critical arbitrary file creation flaw within Foxit Reader version 12.1.3.15356 that stems from insufficient input validation in the Javascript exportDataObject API. This weakness allows attackers to manipulate the file creation process by exploiting a dangerous extension validation mechanism that fails to properly sanitize user-supplied file paths or extensions. The vulnerability specifically targets the exportDataObject function which is designed to handle data export operations but lacks adequate safeguards against malicious input that could enable unauthorized file system modifications.
The technical exploitation of this vulnerability occurs through a carefully crafted malicious file that, when opened by an unsuspecting user, triggers the flawed exportDataObject API. The vulnerability manifests when the API processes a file path that contains a dangerous extension, bypassing normal file system security controls that would typically prevent creation of files in sensitive system locations. This flaw essentially allows an attacker to specify arbitrary file paths and create files anywhere within the target system's file structure, potentially including system directories or locations where executable files could be placed.
The operational impact of this vulnerability extends beyond simple unauthorized file creation to encompass potential arbitrary code execution capabilities. When combined with the ability to create files at arbitrary locations, attackers can potentially place malicious executables or scripts in locations where they will be executed automatically by the system or user. This scenario creates a significant risk for privilege escalation attacks, especially if the user has elevated system privileges. The vulnerability can be triggered through multiple vectors including direct file opening and web-based exploitation when browser plugin extensions are enabled, expanding the attack surface significantly.
Security professionals should consider this vulnerability in the context of the CWE-73 weakness category, which specifically addresses improper neutralization of special elements used in file names or paths. The ATT&CK framework would classify this as a technique involving file and directory permissions modification, potentially leading to privilege escalation and persistence mechanisms. Organizations should implement immediate mitigations including disabling the vulnerable browser plugin extension, updating to patched versions of Foxit Reader, and implementing strict file access controls. Network-level protections such as web application firewalls and content filtering systems can help detect and block malicious file delivery attempts. Regular security awareness training for users to recognize potentially malicious files and sites remains crucial in preventing successful exploitation of this vulnerability.