CVE-2025-64512
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-10

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-10
Last Modified
2025-12-31
Generated
2026-06-16
AI Q&A
2025-11-11
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64512
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
pdfminer pdfminer.six to 2025-11-07 (exc)
debian debian_linux 11.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in pdfminer.six allows a malicious PDF file to specify an alternative zipped pickle file that contains arbitrary code. When pdfminer.six processes the PDF, it deserializes this malicious pickle file using pickle.loads(), which leads to automatic execution of the malicious code. This happens because the function CMapDB._load_data() trusts the pickle file specified by the PDF, as long as it ends with .pickle.gz.

Impact Analysis

If exploited, this vulnerability can lead to arbitrary code execution on the system processing the malicious PDF. This means an attacker could run harmful code, potentially leading to data theft, system compromise, or denial of service.

Mitigation Strategies

Upgrade pdfminer.six to version 20251107 or later, as this version fixes the vulnerability that allows arbitrary code execution via malicious pickle files.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart