CVE-2025-59933
BaseFortify
Publication date: 2025-09-29
Last updated on: 2025-10-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| libvips | libvips | to 8.17.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-126 | The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a buffer read overflow in the libvips image processing library when compiled with PDF input support via poppler. It occurs during the pdfload operation when parsing a crafted PDF that has a page defining a width but not a height. This can cause the program to read beyond the intended buffer limits, potentially leading to unexpected behavior or crashes. The issue affects versions 8.17.1 and below and is fixed in version 8.17.2.
How can this vulnerability impact me? :
The vulnerability can lead to a buffer read overflow, which may cause the application using libvips to crash or behave unpredictably when processing specially crafted PDF files. This could potentially be exploited to cause denial of service or other unintended effects. However, users of libvips compiled without PDF input support or with PDF input via PDFium are not affected.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you can either block the VipsForeignLoadPdf operation using vips_operation_block_set available in most language bindings, or set the VIPS_BLOCK_UNTRUSTED environment variable at runtime to block all untrusted loaders including PDF input via poppler. Additionally, upgrading libvips to version 8.17.2 or later will fix the issue.