[GH-ISSUE #1512] Documenso PDF Document Spoofing - Security Vulnerability #428

New issue

Closed

opened 2026-02-26 18:47:01 +03:00 by kerem · 3 comments

kerem commented 2026-02-26 18:47:01 +03:00

Owner

Copy link

Originally created by @kaerez on GitHub (Dec 5, 2024).
Original GitHub issue: https://github.com/documenso/documenso/issues/1512

Issue Description

CVE-2024-52271: User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened.

Signed document
Documenso-Sec-MoU.pdf

Signing process

Steps to Reproduce

PoC file is not publicly released.

Expected Behavior

1. Identify multiple layers and offer to flatten them or strip them, before editing and signing.
2. Ensure PDF is flattened before appending the digital signature and making the file available for download.

Current Behavior

Editor and signing UI abide by the PDF structure and configuration, and do not perform the expected behavior flattening.

Screenshots (optional)

Signed document, common view - attack is designed to do just that

Signed document, print view - attack is designed to do just that

Operating System [e.g., Windows 10]

N/R

Browser [e.g., Chrome, Firefox]

N/R

Version [e.g., 2.0.1]

app.documenso.com

Please check the boxes that apply to this issue report.

• I have searched the existing issues to make sure this is not a duplicate.
• I have provided steps to reproduce the issue.
• I have included relevant environment information.
• I have included any relevant screenshots.
• I understand that this is a voluntary contribution and that there is no guarantee of resolution.
• I want to work on creating a PR for this issue if approved

Originally created by @kaerez on GitHub (Dec 5, 2024). Original GitHub issue: https://github.com/documenso/documenso/issues/1512 ### Issue Description CVE-2024-52271: User Interface (UI) Misrepresentation of Critical Information vulnerability in Documenso allows Content Spoofing.Displayed version does not show the layer flattened version, once download, If printed (e.g. via Google Chrome -> Examine the print preview): Will render the vulnerability only, not all layers are flattened. **Signed document** [Documenso-Sec-MoU.pdf](https://github.com/user-attachments/files/18023997/Documenso-Sec-MoU.pdf) **Signing process** <img width="1317" alt="SCR-20241205-nqrj" src="https://github.com/user-attachments/assets/90e2a2da-d111-4500-90a2-865a17051fcd"> <img width="1324" alt="SCR-20241205-nqph" src="https://github.com/user-attachments/assets/e93bb549-2cf9-4749-abee-baadcea0a501"> ### Steps to Reproduce PoC file is not publicly released. ### Expected Behavior 1. Identify multiple layers and offer to flatten them or strip them, before editing and signing. 2. Ensure PDF is flattened before appending the digital signature and making the file available for download. ### Current Behavior Editor and signing UI abide by the PDF structure and configuration, and do not perform the expected behavior flattening. ### Screenshots (optional) **Signed document, common view - attack is designed to do just that** <img width="1422" alt="SCR-20241205-nxcm" src="https://github.com/user-attachments/assets/adeb94ea-721a-4f1e-a412-4b5cc20054c2"> **Signed document, `print` view - attack is designed to do just that** <img width="1436" alt="SCR-20241205-nxhf" src="https://github.com/user-attachments/assets/12a54496-f32f-45cc-b090-b2fc2a7c79b7"> ### Operating System [e.g., Windows 10] N/R ### Browser [e.g., Chrome, Firefox] N/R ### Version [e.g., 2.0.1] app.documenso.com ### Please check the boxes that apply to this issue report. - [ ] I have searched the existing issues to make sure this is not a duplicate. - [ ] I have provided steps to reproduce the issue. - [ ] I have included relevant environment information. - [X] I have included any relevant screenshots. - [X] I understand that this is a voluntary contribution and that there is no guarantee of resolution. - [ ] I want to work on creating a PR for this issue if approved

kerem 2026-02-26 18:47:01 +03:00

• closed this issue
• added the
  status: triage
  label

kerem commented 2026-02-26 18:47:01 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Dec 5, 2024):

Thank you for opening your first issue and for being a part of the open signing revolution!

One of our team members will review it and get back to you as soon as it possible 💚

Meanwhile, please feel free to hop into our community in Discord

<!-- gh-comment-id:2520383494 --> @github-actions[bot] commented on GitHub (Dec 5, 2024): Thank you for opening your first issue and for being a part of the open signing revolution! <br /> One of our team members will review it and get back to you as soon as it possible 💚 <br /> Meanwhile, please feel free to hop into our community in [Discord](https://documen.so/discord)

kerem commented 2026-02-26 18:47:02 +03:00

Author

Owner

Copy link

@ElTimuro commented on GitHub (Dec 5, 2024):

@kaerez thanks for reporting. To clarify

• Not flattening the layers before displaying allows for content spoofing?
• Did you report this or only opened this issue from here https://nvd.nist.gov/vuln/detail/CVE-2024-52271 ?
• I assume "DocuSeal" is a typo?

We will investigate this and take further steps.

<!-- gh-comment-id:2520502314 --> @ElTimuro commented on GitHub (Dec 5, 2024): @kaerez thanks for reporting. To clarify - Not flattening the layers before displaying allows for content spoofing? - Did you report this or only opened this issue from here https://nvd.nist.gov/vuln/detail/CVE-2024-52271 ? - I assume "DocuSeal" is a typo? We will investigate this and take further steps.

kerem commented 2026-02-26 18:47:02 +03:00

Author

Owner

Copy link

@kaerez commented on GitHub (Dec 5, 2024):

@kaerez thanks for reporting. To clarify

• Not flattening the layers before displaying allows for content spoofing?
• Did you report this or only opened this issue from here https://nvd.nist.gov/vuln/detail/CVE-2024-52271 ?
• I assume "DocuSeal" is a typo?

We will investigate this and take further steps.

Hi @ElTimuro

1. Yes
2. Yes
3. Yeah, sorry :) - Fixed

<!-- gh-comment-id:2520517090 --> @kaerez commented on GitHub (Dec 5, 2024): > @kaerez thanks for reporting. To clarify > > * Not flattening the layers before displaying allows for content spoofing? > * Did you report this or only opened this issue from here https://nvd.nist.gov/vuln/detail/CVE-2024-52271 ? > * I assume "DocuSeal" is a typo? > > We will investigate this and take further steps. Hi @ElTimuro 1. Yes 2. Yes 3. Yeah, sorry :) - Fixed

kerem referenced this issue 2026-02-26 19:31:16 +03:00

[PR #428] [CLOSED] chore(deps): bump next from 13.4.19 to 13.5.3 in /apps/marketing #970

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

chore/translations

feat/signing-required-field-colors

feat/add-field-overflow-settings

chore/extract-translations

release

feat/public-completed-document-access

feat/bulk-download

docs/signing-reminders

feat/document-file-conversion

feat/prefetch-intent-navigation-links

fix/lint-project

fix/replace-linter-with-biome

fix/security-improvements

perf/dynamic-import-posthog

deps/vite-8

chore/migrate-eslint-prettier-to-oxlint-oxfmt

chore/migrate-to-pnpm

feat/add-pdf-image-renderer

feat/add-embed-v2

fix/extract-emails

feat/table-toolbar-filters

copilot/sub-pr-2478

fix/recipients-send-500

feat/external-2fa-codes

feat/protect-signing-urls

fix/checkbox-checked-values

duncan/legacy-api-endpoints

chore/block-po-files-locally

fix/default-embed-v2-document-rejection-to-false

fix/fields-dialog-title-description

copilot/sub-pr-2323

copilot/sub-pr-2267

exp/autoplace-fields

chore/server-hostname-config

fix/template-add-signers

fix/add-field-drag-drop-colors

fix/envelope-updates

feat/allow-formdata

archive/1.13.2

copilot/add-billing-section-account-page

fix/field-coordinate-bounds

feat/update-user-via-admin-dashboard

feat/expiry-links

feat/team-dashboard

feat/change-radio-direction

feat/admin-create-user-with-org

archive/v1.12.11

feat/envelopes-polish

feat/add-attachments-reworked

fix/font-size-fields

feat/improve-resend-dialog

fix/download-certificate-audit-log-safari

fix/duplicate-document-by-id

feat/document-table-filters

fix/template-migration

exp/effect

fix/migrate-template-metadata

exp/keyboard-signature

feat/document-2fa-redo

feat/add-attachments

feat/billing-redirect-flow

fix/add-api-logging

fix/duplicate-document-template-review

feat/handle-redirectto-param

feat/document-processing-status-indicator

feat/customize-doc-audit-log-certificate

feat/document-2fa

feat/organisations-backup-pls

feat/audit-logs-on-completed-document

chore/webhook-trigger-multiselect

exp/bg

chore/single-signer-wording

fix/template-uploading

feat/bin-tab

fix/staging-test

feat/rr7

squish/rr7

archive/nextjs

power-signer

fix/field-placements

fix/team-member-invites

fix/checkbox-field-bugs

fix/leaderboard-query

fix/zapier-list-documents-endpoint

feat/dictate-signers

feat/allow-same-signer-email-multiple-times

wip/rr7-next

experiment/self-sign

fix/oidc-login-error

feat/document-qrcode

feat/mau

feat/copy-links-audit-logs

chore/december-dep-upgrades

wip/rr7

wip/rr7-auth-package

wip/rr7-better-auth-demo

experiment/what-if-user-ids-were-strings-instead-of-numbers

fix/refactor-api-routes

feat/add-owner-completed-email-setting

fix/embed-whitelabel-colors

feat/delete-archive

fun/sign-with-nose

expiry-links

chore/openpage-viral-metrics

fix/sitemap

feat/signing-reminder

feat/automated-fields-signature

feat/add-polish-translations

staging

fix/open-page

openpage-api-deploy

feat/pulumi

chore/angular-embed-docs

exp/next-15

chore/select-signer

feat/save-data-on-blur

feat/save-recipients-on-blur

feat/signature-color

feat/team-email-template

chore/documenso-url

chore/add-ctas

fix/docker-setup-and-documentation

fix/document-creation-timezone

feat/telemetry

feat/integration-animation

fix/render-deployment

feat/publicProfile

feat/redirect-templates

feat/passkey-dialog

fix/refactor-use-template

chore/resend-onUpdate

chore/subject-onBlur

fix/demo-trpc-duration

fix/self-signer-custom-email-message

fix/benchmark

feat/add-myself-as-signer-temp

feat/checkbox-type

feat/update-marketing-header

experiment/queue

feat/error-demo

feat/add-document-auth-options

feat/document-2fa-test

chore/status-widget

open-page-restructure

feat/document-passkey-test

chore/form-reset

fix/neon-db-migration-test

feat/public-profile

feat/launch-week-content

webhooks_plus_api

exp/custom-field-labels

feat/accept-text-signature

feat/document-version-history

fix/delete-recipient-owners

fix/whitespace-title

feat/refresh

exp/million

feat/doc-comments

ElTimuro-patch-1

feat/teams-slugify

pr/537

date-format-setting

exp/millionjs

feat/runtime-env

chore/next-14

feat/chat-with-documents

feat/plan-limits

fix/467-bugsafari-only-unable-to-copy-document-sharing-link

feat/admin-ui-manage-instance

feat/stripe-free-tier

fix/cascade-delete-share-links

feat/marketing-share-document

feat/single-player-mode-polish

feat/next-13-5-3

chore/github-templates

docs/render-deploy

chore/code-of-conduct

chore/team

feat/add-e2e-testing

docs/minor-readme-updatess

docs/dx

feat-early-adopters

feat/open-early-adopters

fix/432-signee-doc-version-doesnt-have-sticky-signing-area

fix/446-cancel-cta-does-nothing-when-a-signer-opens-the-document

fix/445-signer-name-not-persisting

feat/resend-transport

fix/incorrect-completed-stats

feat/update-email-templates

feat/mania

feat/copy-or-tweet

feat/add-design-system-page

feat/single-player-mode

feat/completed-share-link

feat/designsystem

feat/send-email

feat/custom-emails

blog/upcoming-blog-post

feat/single-player-mode-test

feat/reset-password

blog/selfhosting-blog-post

feat/redirect-signed-document

fix/og-description

feat/universal-upload

chore/readme

chore/blogposts

fix/building-documenso-description

feat/admin-ui-metrics

feat/avatar-fallback

feat/templates

feat/blog-post-next

fix/hide-user-selection

feat/disable-sign

feat/marketing-mobile-nav

chore/remove-console-log-warn

feat/add-email-field

fix/redirect-signin-to-dashboard

feat/blog-og-image

feat/redirect-on-send

feat/billing-page

feat/profile-password-form

fix/signature-color-dark-mode

feat/inbox

feat/promise-safety

readme

chore/reduce-refetch-time

feat/update-document-flow

feat/refactor-shared-components

feat/feature-flag

feat/document-authoring

feat/pie-chart-legend

feat/open-page

docs/add-gitpod-setup

docs/add-render-deploy

docs-coventional-commits

feat/table-actions

minor/updates-google-auth-refresh

feat/add-document-animation

feat/new-email-template

feat/password-reset

fix/send-error-double-send

fix/improve-stripe-webhook-endpoint

feat/support-custom-cert-paths

feat/DOC-170-add-name-field

fix/improve-general-styling

feat/DOC-210-sign-dialog-broken-on-second-opening

bugfix-#71/invalid-email-hint

chore/optimise-deps

test-pr

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.1

v2.7.0

v2.6.1

v2.6.0

v2.5.1

v2.5.0

v2.4.0

v2.3.2

v2.3.1

v2.3.0

v2.2.8

v2.2.7

v2.2.6

v2.2.5

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.0

v2.0.14

v2.0.13

v2.0.12

v2.0.11

v2.0.10

v2.0.9

v2.0.8

v2.0.7

v2.0.6

v2.0.5

v2.0.4

v2.0.3

v2.0.2

v2.0.1

v2.0.0

v1.13.2

v1.13.1

v1.13.0

v1.12.10

v1.12.9

v1.12.8

v1.12.7

v1.12.6

v1.12.5

v1.12.4

v1.12.3

v1.12.2-rc.6

v1.12.2-rc.5

v1.12.2-rc.4

v1.12.2-rc.3

v1.12.2-rc.2

v1.12.2-rc.1

v1.12.2-rc.0

v1.12.1

v1.12.0

v1.12.0-rc.8

v1.12.0-rc.7

v1.12.0-rc.6

v1.12.0-rc.5

v1.12.0-rc.4

v1.12.0-rc.3

v1.12.0-rc.2

v1.12.0-rc.1

v1.12.0-rc.0

v1.11.1

v1.11.0

v1.10.3

v1.10.2

v1.10.1

v1.10.0

v1.10.0-rc.5

v1.10.0-rc.4

v1.10.0-rc.3

v1.10.0-rc.2

v1.10.0-rc.1

v1.10.0-rc.0

v1.9.1-rc.9

v1.9.1

v1.9.1-rc.8

v1.9.1-rc.7

v1.9.1-rc.6

v1.9.1-rc.5

v1.9.1-rc.4

v1.9.1-rc.3

v1.9.1-rc.2

v1.9.1-rc.1

v1.9.1-rc.0

v1.9.0

v1.9.0-rc.12

v1.9.0-rc.11

v1.9.0-rc.10

v1.9.0-rc.9

v1.9.0-rc.8

v1.9.0-rc.7

v1.9.0-rc.6

v1.9.0-rc.5

final-marketing-release

v1.9.0-rc.4

v1.9.0-rc.3

v1.9.0-rc.2

v1.9.0-rc.1

v1.9.0-rc.0

v1.8.1

v1.8.1-rc.9

v1.8.1-rc.8

v1.8.1-rc.7

v1.8.1-rc.6

v1.8.1-rc.5

v1.8.1-rc.4

v1.8.1-rc.3

v1.8.1-rc.2

v1.8.1-rc.1

v1.8.1-rc.0

v1.8.0-rc.4

v1.8.0

v1.8.0-rc.3

v1.8.0-rc.2

v1.8.0-rc.1

v1.8.0-rc.0

v1.7.2

v1.7.2-rc.4

v1.7.2-rc.3

v1.7.2-rc.2

v1.7.2-rc.1

v1.7.2-rc.0

v1.7.1-rc.3

v1.7.1

v1.7.1-rc.2

v1.7.1-rc.1

v1.7.1-rc.0

v1.7.0

v1.7.0-rc.5

v1.7.0-rc.4

v1.7.0-rc.3

v1.7.0-rc.2

v1.7.0-rc.1

v1.7.0-rc.0

v1.6.1

v1.6.1-rc.1

v1.6.1-rc.0

v1.6.0

v1.6.0-rc.3

v1.6.0-rc.2

v1.6.0-rc.1

v1.6.0-rc.0

v1.5.6

v1.5.6-rc.4

v1.5.6-rc.3

v1.5.6-rc.2

v1.5.6-rc.1

v1.5.6-rc.0

v1.5.5-rc.8

v1.5.5

v1.5.5-rc.7

v1.5.5-rc.6

v1.5.5-rc.5

v1.5.5-rc.4

v1.5.5-rc.3

v1.5.5-rc.2

v1.5.5-rc.1

v1.5.5-rc.0

v1.5.4-rc.5

v1.5.4

v1.5.4-rc.4

v1.5.4-rc.3

v1.5.4-rc.2

v1.5.4-rc.1

v1.5.4-rc.0

v1.5.3-rc.1

v1.5.3

v1.5.3-rc.0

v1.5.2-rc.8

v1.5.2

v1.5.2-rc.7

v1.5.2-rc.6

v1.5.2-rc.5

v1.5.2-rc.4

v1.5.2-rc.3

v1.5.2-rc.2

v1.5.2-rc.1

v1.5.2-rc.0

v1.5.1

v1.5.1-rc.0

v1.5.0-rc.6

v1.5.0

v1.5.0-rc.5

v1.5.0-rc.4

v1.5.0-rc.3

v1.5.0-rc.2

v1.5.0-rc.1

v1.5.0-rc.0

v1.4.0-rc.0

v1.4.0

v1.3.2-rc.0

v1.3.1-rc.2

v1.3.1

v1.3.1-rc.1

v1.3.1-rc.0

v1.3.0-rc.2

v1.3.0

v1.3.0-rc.1

v1.3.0-rc.0

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.1

v1.0

v0.9

before-prettier

0.9-developer-preview

Labels

Clear labels   

Compliance

  

Stale

  

apps: marketing

  

apps: web

  

community

  

component: api

  

component: integrations

  

component: ui

  

duplicate

  

effort: low

  

effort: medium

  

good first issue

  

hacktoberfest

  

help wanted

  

needs triage

  

needs-replication

  

needs-testing

  

on-hold

  

osshack

  

priority: high

  

priority: low

  

priority: medium

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

roadmap

  

status: assigned

  

status: blocked

  

status: in progress

  

status: triage

  

type: bug

  

type: bug

  

type: bug

  

type: documentation

  

type: enhancement

  

type: feature

  

wontfix

  

💎 Bounty

  

💰 Rewarded

  

💰 Rewarded

No labels

Compliance

Stale

apps: marketing

apps: web

community

component: api

component: integrations

component: ui

duplicate

effort: low

effort: medium

good first issue

hacktoberfest

help wanted

needs triage

needs-replication

needs-testing

on-hold

osshack

priority: high

priority: low

priority: medium

pull-request

question

roadmap

status: assigned

status: blocked

status: in progress

status: triage

type: bug

type: bug

type: bug

type: documentation

type: enhancement

type: feature

wontfix

💎 Bounty

💰 Rewarded

💰 Rewarded

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/documenso#428

No description provided.