CVE-2025-70559

EUVD-2025-206704

03.02.2026, 18:16

pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA-ADP	ADP	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 20%

Debian Releases

Debian Product

Codename

pdfminer

bookworm	vulnerable
bookworm (security)	vulnerable
bullseye	vulnerable
bullseye (security)	20200726-1+deb11u2 fixed
forky	20260107+dfsg-1 fixed
sid	20260107+dfsg-1 fixed
trixie	vulnerable
trixie (security)	vulnerable

Common Weakness Enumeration

CWE-502 - Deserialization of Untrusted Data
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References

https://github.com/advisories/GHSA-f83h-ghpp-7wcc

https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc