CVE-2025-71382
Received Received - Intake
Uncontrolled Recursion in MuPDF EPUB CSS Rendering Engine

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: VulnCheck

Description
MuPDF before 1.27.0-rc1 contains an uncontrolled recursion vulnerability in the EPUB CSS rendering engine that allows remote attackers to cause a denial of service by supplying a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles. The function value_from_inheritable_property() in css-apply.c recurses through the CSS property inheritance chain without a depth limit, exhausting the process stack and causing a crash in any application using MuPDF for EPUB rendering.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-24
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2025-71382
EUVD
EUVD-2025-210322
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
artifexsoftware mupdf to 1.27.0-rc1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71382 is a vulnerability in MuPDF versions before 1.27.0-rc1 that involves uncontrolled recursion in the EPUB CSS rendering engine.

Specifically, the function value_from_inheritable_property() in the file css-apply.c recurses through the CSS property inheritance chain without any depth limit.

An attacker can exploit this by supplying a maliciously crafted EPUB file containing deeply nested HTML elements and inline CSS styles, causing the function to recurse excessively.

This uncontrolled recursion exhausts the process stack, leading to a crash of any application using MuPDF for EPUB rendering.

Impact Analysis

This vulnerability can cause a denial of service (DoS) condition in applications that use MuPDF for rendering EPUB files.

By providing a malicious EPUB file with deeply nested HTML and CSS, an attacker can trigger a stack exhaustion crash, causing the application to stop functioning.

This can disrupt service availability and potentially impact users relying on the affected application for reading or processing EPUB documents.

Detection Guidance

This vulnerability is triggered by processing a maliciously crafted EPUB file with deeply nested HTML elements and inline CSS styles in applications using MuPDF for EPUB rendering.

Detection would involve monitoring for crashes or denial of service events in MuPDF or applications embedding MuPDF when opening EPUB files.

Since the issue is caused by stack exhaustion due to uncontrolled recursion in the function value_from_inheritable_property(), there are no specific network commands to detect it directly.

To detect if your system is vulnerable, you can test by opening EPUB files with deeply nested HTML and CSS styles in MuPDF versions before 1.27.0-rc1 and observe if the application crashes.

No explicit commands or signatures for automated detection are provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade MuPDF to version 1.27.0-rc1 or later, where the vulnerability has been fixed by replacing the recursive function with an iterative approach to prevent stack exhaustion.

Until the upgrade can be applied, avoid opening untrusted or suspicious EPUB files that may contain deeply nested HTML elements and inline CSS styles.

If possible, implement application-level protections such as limiting the depth of CSS inheritance processing or sandboxing the MuPDF process to contain potential crashes.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71382. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart