CVE-2025-59933
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-18

Assigner: GitHub, Inc.

Description
libvips is a demand-driven, horizontally threaded image processing library. For versions 8.17.1 and below, when libvips is compiled with support for PDF input via poppler, the pdfload operation is affected by a buffer read overflow when parsing the header of a crafted PDF with a page that defines a width but not a height. Those using libvips compiled without support for PDF input are unaffected as well as thosewith support for PDF input via PDFium. This issue is fixed in version 8.17.2. A workaround for those affected is to block the VipsForeignLoadPdf operation via vips_operation_block_set, which is available in most language bindings, or to set VIPS_BLOCK_UNTRUSTED environment variable at runtime, which will block all untrusted loaders including PDF input via poppler.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-18
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-59933
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
libvips libvips to 8.17.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-126 The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a buffer read overflow in the libvips image processing library when compiled with PDF input support via poppler. It occurs during the pdfload operation when parsing a crafted PDF that has a page defining a width but not a height. This can cause the program to read beyond the intended buffer limits, potentially leading to unexpected behavior or crashes. The issue affects versions 8.17.1 and below and is fixed in version 8.17.2.

Impact Analysis

The vulnerability can lead to a buffer read overflow, which may cause the application using libvips to crash or behave unpredictably when processing specially crafted PDF files. This could potentially be exploited to cause denial of service or other unintended effects. However, users of libvips compiled without PDF input support or with PDF input via PDFium are not affected.

Mitigation Strategies

To mitigate this vulnerability, you can either block the VipsForeignLoadPdf operation using vips_operation_block_set available in most language bindings, or set the VIPS_BLOCK_UNTRUSTED environment variable at runtime to block all untrusted loaders including PDF input via poppler. Additionally, upgrading libvips to version 8.17.2 or later will fix the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-59933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart