CVE-2025-64512
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-64512, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-10

Last updated on: 2025-12-31

Assigner: GitHub, Inc.

Description

Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-10
Last Modified
2025-12-31
Generated
2026-07-06
AI Q&A
2025-11-11
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
pdfminer pdfminer.six to 2025-11-07 (exc)
debian debian_linux 11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in pdfminer.six allows a malicious PDF file to specify an alternative zipped pickle file that contains arbitrary code. When pdfminer.six processes the PDF, it deserializes this malicious pickle file using pickle.loads(), which leads to automatic execution of the malicious code. This happens because the function CMapDB._load_data() trusts the pickle file specified by the PDF, as long as it ends with .pickle.gz.

Impact Analysis

If exploited, this vulnerability can lead to arbitrary code execution on the system processing the malicious PDF. This means an attacker could run harmful code, potentially leading to data theft, system compromise, or denial of service.

Mitigation Strategies

Upgrade pdfminer.six to version 20251107 or later, as this version fixes the vulnerability that allows arbitrary code execution via malicious pickle files.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64512. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart