Code Execution Vulnerabilities Discovered in Nitro Pro PDF Reader

Published on October 15, 2021

Cisco Talos has declared that their team found two noticeable cybersecurity vulnerabilities in the Nitro Pro PDF Reader versions 13.31.0.605 and 13.33.2.645. The security vulnerabilities have to do with specially crafted documents exploiting JavaScript timeout objects and with reusing a document path even after it is destroyed.

The flaws, along with a short description, are the following:

The Cisco Talos Nitro Pro PDF JavaScript local_file_path Object use-after-free vulnerability test report details the CVE-2021-21796 vulnerability. In this case, a specially crafted document with an embedded malicious script launches an attack by reusing its directory path even after being destroyed. This potentially compromises user data after the malicious code is executed.

The Cisco Talos’ Nitro Pro PDF JavaScript Timeout test report details the first of the vulnerabilities mentioned above, CVE-2021-21797. It explains that this vulnerability allows for storing a timeout object at different paths. If a hacker convinces a user to open the doc, then its coded timeout object will be stored in different places and executed upon the document’s closing.

Cisco Talos has relayed these discovered vulnerabilities to Nitro, and the company is working towards releasing a patch for addressing these issues. Users can also avoid opening a malicious PDF by simply turning off JavaScript use in Nitro PDF Reader’s settings.

Last year, researchers from the Cisco Talos security team discovered four remote code execution (RCE) vulnerabilities in another PDF reader, a popular freemium alternative to Adobe Reader called Foxit.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: