CVE-2025-59801
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-09-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| artifex | ghostscript | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-59801 is a stack-based buffer overflow vulnerability in Artifex GhostXPS before version 10.06.0. It occurs in the function xps_unpredict_tiff in the file xpstiff.c because the samplesperpixel value is not checked before being used to index a fixed-size stack buffer. This lack of validation allows an attacker to write beyond the allocated buffer, causing a stack buffer overflow that can corrupt the stack and potentially control the instruction pointer under certain conditions. [1]
How can this vulnerability impact me? :
This vulnerability can cause crashes and stack corruption in affected GhostXPS versions. In environments where modern mitigations like ASLR and stack canaries are disabled, an attacker can exploit this overflow to control the instruction pointer, potentially leading to remote code execution. However, under normal hardened builds with these protections enabled, exploitation is difficult and would require chaining with other vulnerabilities such as information leaks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing Ghostscript's handling of XPS files containing TIFF images with malformed samplesperpixel values. Using AddressSanitizer (ASan) during testing can reveal stack-buffer-overflow errors in the function xps_unpredict_tiff in xpstiff.c. A proof-of-concept file (pwn.xps) can be used to trigger the overflow. Specific commands would involve running Ghostscript with ASan instrumentation on suspicious XPS files to detect out-of-bounds writes. However, no direct network detection commands or signatures are provided. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Ghostscript to version 10.06.0 or later where the vulnerability is fixed by adding proper validation of the samplesperpixel parameter. Additionally, ensure that system-level protections such as ASLR and stack canaries are enabled to prevent exploitation. Avoid processing untrusted XPS files with vulnerable versions of Ghostscript until patched. [1]