CVE-2025-64512

EUVD-2025-38315
Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can specify an alternative directory and filename as long as the filename ends in `.pickle.gz`. A malicious, zipped pickle file can then contain code which will automatically execute when the PDF is processed. Version 20251107 fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
GitHub_MCNA
8.6 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 22%
Affected Products (NVD)
VendorProductVersion
pdfminerpdfminer.six
𝑥
< 2025-11-07
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pdfminer
bookworm
20221105+dfsg-1.1~deb12u1
fixed
bookworm (security)
20221105+dfsg-1.1~deb12u1
fixed
bullseye
vulnerable
bullseye (security)
20200726-1+deb11u2
fixed
forky
20260107+dfsg-1
fixed
sid
20260107+dfsg-1
fixed
trixie
20221105+dfsg-1.1~deb13u1
fixed
trixie (security)
20221105+dfsg-1.1~deb13u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
pdfminer
bionic
needs-triage
focal
needs-triage
jammy
needs-triage
noble
needs-triage
plucky
ignored
questing
needs-triage
xenial
needs-triage
Common Weakness Enumeration
References
https://github.com/pdfminer/pdfminer.six/commit/b808ee05dd7f0c8ea8ec34bdf394d40e63501086
https://github.com/pdfminer/pdfminer.six/releases/tag/20251107
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp
https://lists.debian.org/debian-lts-announce/2025/11/msg00017.html
https://lists.debian.org/debian-lts-announce/2026/01/msg00005.html
https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-wf5f-4jwr-ppcp