The vulnerability arises from the application’s lack of checks for cyclic references within PDF objects that are processed by JavaScript. When a crafted PDF contains pages and annotations that reference each other in a loop, the deep traversal performed by APIs such as SOAP can trigger uncontrolled recursion, eventually exhausting the process stack and causing the application to crash. This effect manifests as a denial of service to the user and is classified as CWE‑674, Uncontrolled Recursion.

Both Foxit PDF Editor and Foxit PDF Reader from Foxit Software Inc. are affected. The vulnerability is potentially present in all current releases of these applications running on supported operating systems, including Apple macOS and Microsoft Windows. No specific version range is listed, so any installation of the PDF Editor or Reader should be treated as at risk until an update is applied.

The CVSS base score of 6.2 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited evidence of active exploitation. The likely attack vector is a malicious PDF file delivered to the user; opening the file would trigger the stack exhaustion. Because the impact is limited to application crash and does not provide privilege escalation or data exfiltration, the exploitability is confined to denial‑of‑service scenarios.