Security Concerns (CVE-2025-26240)

[Habuon]

I was wondering whether this library is still in use or maintained at all. I looked into its functionality and found that the from_string method is extremely dangerous, and I haven't seen any warnings about using the from_string with untrusted HTML.

[Habuon]

The vulnerability has been assigned a CVE ID CVE-2025-26240. Simple proof of concept for the vulnerability is available on my github repository: https://github.com/Habuon/CVE-2025-26240 Also more details on it are available on my github blog: https://habuon.github.io/2025/03/12/pdfkit-vulnerability-(CVE-2025-26240).html

Short Summary of the Vulnerability

The vulnerability is caused by parsing user-provided HTML in the from_string method, with no available options to mitigate the risk. The from_string method uses meta tags whose names start with “pdfkit-” and treats their values as command-line parameters for the wkhtmltopdf tool. This parsing is performed in the _find_options_in_meta method, located in the pdfkit/pdfkit.py file. While this functionality may be useful for certain use cases (such as setting the paper size), some wkhtmltopdf arguments pose security risks.