FKIE_CVE-2025-64512

Vulnerability from fkie_nvd - Published: 2025-11-10 22:15 - Updated: 2025-11-19 01:15
Severity ?
8.6 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Summary
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.
References
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/releases/tag/20251107
security-advisories@github.comhttps://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue."
    },
    {
      "lang": "es",
      "value": "Pdfminer.six es una bifurcaci\u00f3n mantenida por la comunidad del PDFMiner original, una herramienta para extraer informaci\u00f3n de documentos PDF. Antes de la versi\u00f3n 20251107, pdfminer.six ejecutar\u00e1 c\u00f3digo arbitrario de un archivo pickle malicioso si se le proporciona un archivo PDF malicioso. La funci\u00f3n \u0027CMapDB._load_data()\u0027 en pdfminer.six utiliza \u0027pickle.loads()\u0027 para deserializar archivos pickle. Se supone que estos archivos pickle forman parte de la distribuci\u00f3n de pdfminer.six almacenada en el directorio \u0027cmap/\u0027, pero un PDF malicioso puede especificar un directorio y nombre de archivo alternativos siempre que el nombre de archivo termine en \u0027.pickle.gz\u0027. Un archivo pickle malicioso y comprimido puede entonces contener c\u00f3digo que se ejecutar\u00e1 autom\u00e1ticamente cuando se procese el PDF. La versi\u00f3n 20251107 corrige el problema."
    }
  ],
  "id": "CVE-2025-64512",
  "lastModified": "2025-11-19T01:15:56.897",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.6,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-11-10T22:15:40.067",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/releases/tag/20251107"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.