CVE-2025-64512
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2025-64512
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-64512.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2025-64512
- Aliases
- Downstream
- Related
- Published
- 2025-11-10T21:58:37.950Z
- Modified
- 2025-11-17T04:17:32.119925Z
- Severity
-
- 8.6 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- pdfminer.six vulnerable to Arbitrary Code Execution via Crafted PDF Input
- Details
-
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The
CMapDB._load_data()function in pdfminer.six usespickle.loads()to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in thecmap/directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in.pickle.gz. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue. - Database specific
{ "cwe_ids": [ "CWE-502" ] }- References