fkie_cve-2025-64512
Vulnerability from fkie_nvd
Published
2025-11-10 22:15
Modified
2025-11-19 01:15
Severity ?
8.6 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.
References
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/releases/tag/20251107
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Pdfminer.six es una bifurcaci\u00f3n mantenida por la comunidad del PDFMiner original, una herramienta para extraer informaci\u00f3n de documentos PDF. Antes de la versi\u00f3n 20251107, pdfminer.six ejecutar\u00e1 c\u00f3digo arbitrario de un archivo pickle malicioso si se le proporciona un archivo PDF malicioso. La funci\u00f3n \u0027CMapDB._load_data()\u0027 en pdfminer.six utiliza \u0027pickle.loads()\u0027 para deserializar archivos pickle. Se supone que estos archivos pickle forman parte de la distribuci\u00f3n de pdfminer.six almacenada en el directorio \u0027cmap/\u0027, pero un PDF malicioso puede especificar un directorio y nombre de archivo alternativos siempre que el nombre de archivo termine en \u0027.pickle.gz\u0027. Un archivo pickle malicioso y comprimido puede entonces contener c\u00f3digo que se ejecutar\u00e1 autom\u00e1ticamente cuando se procese el PDF. La versi\u00f3n 20251107 corrige el problema."
    }
  ],
  "id": "CVE-2025-64512",
  "lastModified": "2025-11-19T01:15:56.897",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T22:15:40.067",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/releases/tag/20251107"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.