CVE-2025-14407
Unknown Unknown - Not Provided

Memory Corruption in Soda PDF Desktop Allows Information Disclosure

Vulnerability report for CVE-2025-14407, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-12-23

Last updated on: 2025-12-23

Assigner: Zero Day Initiative

Description

Soda PDF Desktop PDF File Parsing Memory Corruption Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of Soda PDF Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PDF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this in conjunction with other vulnerabilities to execute arbitrary code in the context of the current process. Was ZDI-CAN-27141.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-12-23
Last Modified
2025-12-23
Generated
2026-07-06
AI Q&A
2025-12-24
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
soda_pdf soda_pdf_desktop *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-119 The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a memory corruption issue in Soda PDF Desktop that occurs during the parsing of PDF files. It happens because the software does not properly validate user-supplied data, which can lead to memory corruption. Exploiting this requires user interaction, such as opening a malicious file or visiting a malicious page. An attacker can use this flaw to disclose sensitive information and potentially execute arbitrary code by combining it with other vulnerabilities.

Impact Analysis

This vulnerability can allow remote attackers to disclose sensitive information on affected Soda PDF Desktop installations. Additionally, if combined with other vulnerabilities, it could enable attackers to execute arbitrary code within the context of the current process, potentially compromising the system. Exploitation requires user interaction.

Compliance Impact

This vulnerability allows remote attackers to disclose sensitive information by exploiting a memory corruption flaw in Soda PDF Desktop. Such unauthorized disclosure of sensitive information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive data against unauthorized access or disclosure. Therefore, affected installations may face compliance risks if this vulnerability is exploited.

Mitigation Strategies

To mitigate this vulnerability, avoid opening PDF files from untrusted sources and do not visit malicious web pages that could exploit the vulnerability. Ensure that Soda PDF Desktop is updated with any security patches provided by the vendor once available. Additionally, consider restricting user privileges and applying network security controls to limit exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14407. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart