CVE-2019-25549
Buffer Overflow in VeryPDF PCL Converter 2.7 Causes DoS
Publication date: 2026-03-21
Last updated on: 2026-04-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| verypdf | verypdf | 2.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25549 is a denial of service vulnerability in VeryPDF PCL Converter version 2.7 and earlier. It occurs due to a buffer overflow caused by an excessively long password string supplied in the PDF Security encryption fields.
Specifically, if a local attacker inputs a password of about 3000 bytes in length, the application crashes when processing PCL files. This happens because the application does not properly handle the large password input, leading to an out-of-bounds write.
How can this vulnerability impact me? :
This vulnerability can cause the VeryPDF PCL Converter application to crash, resulting in a denial of service.
An attacker with local access can exploit this by supplying an excessively long password in the PDF Security fields, which triggers a buffer overflow and causes the application to become unstable or stop functioning.
The impact is limited to availability, meaning the confidentiality and integrity of data are not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to reproduce the crash condition in a controlled environment. Specifically, by supplying an excessively long password string (e.g., 3000 bytes) in the PDF Security password fields of VeryPDF PCL Converter version 2.7.'}, {'type': 'paragraph', 'content': "A proof-of-concept method involves using a script to generate a buffer of 3000 'A' characters, copying this buffer to the clipboard, and then pasting it into the 'User Password' or 'Master Password' field under 'Setting' > 'PDF Security' in the application. After confirming the settings and converting a PCL file, the application should crash if vulnerable."}, {'type': 'paragraph', 'content': 'There are no specific network commands since this is a local vulnerability, but the following steps can be used to test the vulnerability on the system:'}, {'type': 'list_item', 'content': 'Run a script (such as the provided Python PoC) to generate a 3000-byte buffer.'}, {'type': 'list_item', 'content': 'Copy the generated buffer to the clipboard.'}, {'type': 'list_item', 'content': "Open VeryPDF PCL Converter 2.7, navigate to 'Setting' > 'PDF Security', enable 'Encrypt PDF File', and paste the buffer into the password fields."}, {'type': 'list_item', 'content': 'Add a PCL file and start the conversion process.'}, {'type': 'paragraph', 'content': 'If the application crashes during this process, the vulnerability is present.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding the use of VeryPDF PCL Converter version 2.7 or earlier until a patch or update is available.
Since the vulnerability requires local access and is triggered by an excessively long password in the PDF Security encryption fields, restrict local access to trusted users only.
Do not enter or accept unusually long passwords in the PDF Security settings to prevent triggering the buffer overflow.
Monitor for application crashes related to PDF Security password handling and consider disabling PDF encryption features if possible.