CVE-2025-59801
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-09-22

Assigner: MITRE

Description
In Artifex GhostXPS before 10.06.0, there is a stack-based buffer overflow in xps_unpredict_tiff in xpstiff.c because the samplesperpixel value is not checked.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-09-22
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59801
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
artifex ghostscript *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-59801 is a stack-based buffer overflow vulnerability in Artifex GhostXPS before version 10.06.0. It occurs in the function xps_unpredict_tiff in the file xpstiff.c because the samplesperpixel value is not checked before being used to index a fixed-size stack buffer. This lack of validation allows an attacker to write beyond the allocated buffer, causing a stack buffer overflow that can corrupt the stack and potentially control the instruction pointer under certain conditions. [1]

Impact Analysis

This vulnerability can cause crashes and stack corruption in affected GhostXPS versions. In environments where modern mitigations like ASLR and stack canaries are disabled, an attacker can exploit this overflow to control the instruction pointer, potentially leading to remote code execution. However, under normal hardened builds with these protections enabled, exploitation is difficult and would require chaining with other vulnerabilities such as information leaks. [1]

Detection Guidance

This vulnerability can be detected by analyzing Ghostscript's handling of XPS files containing TIFF images with malformed samplesperpixel values. Using AddressSanitizer (ASan) during testing can reveal stack-buffer-overflow errors in the function xps_unpredict_tiff in xpstiff.c. A proof-of-concept file (pwn.xps) can be used to trigger the overflow. Specific commands would involve running Ghostscript with ASan instrumentation on suspicious XPS files to detect out-of-bounds writes. However, no direct network detection commands or signatures are provided. [1]

Mitigation Strategies

Immediate mitigation steps include updating Ghostscript to version 10.06.0 or later where the vulnerability is fixed by adding proper validation of the samplesperpixel parameter. Additionally, ensure that system-level protections such as ASLR and stack canaries are enabled to prevent exploitation. Avoid processing untrusted XPS files with vulnerable versions of Ghostscript until patched. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59801. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart