CVE-2025-43903
published 2025-04-18CVE-2025-43903: NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
PriorityP410low3.3CVSS 3.1
AVLACLPRLUINSUCNILAN
EPSS
0.09%
0.7th percentile
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | poppler | < poppler 25.03.0-4 (forky) | poppler 25.03.0-4 (forky) |
| freedesktop | poppler | < 25.04.0 | 25.04.0 |
| freedesktop | poppler | >= 0 < 25.03.0-4 | 25.03.0-4 |
| freedesktop | poppler | >= 0 < 25.03.0-4 | 25.03.0-4 |
CVSS provenance
nvdv3.13.3LOWCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
osv3.3LOW
vendor_debian4.3MEDIUM
vendor_redhat4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
poppler vulnerabilities
vendor_ubuntu·2025-04-29
CVE-2025-43903 poppler vulnerabilities
Title: poppler vulnerabilities
Summary: poppler could be made to treat documents with forged signatures as
legitimately signed.
It was discovered that poppler did not properly verify adbe.pkcs7.sha1
signatures in PDF documents. An attacker could possibly use this issue
to create documents with forged signatures that are treated as
legitimately signed.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
poppler: SignatureValue not checked within SignerInfo
vendor_redhat·2025-04-18·CVSS 4.3
CVE-2025-43903 [MEDIUM] CWE-347 poppler: SignatureValue not checked within SignerInfo
poppler: SignatureValue not checked within SignerInfo
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
A flaw was found in Poppler. For signatures with non-empty encapsulated content, typically adbe.pkcs7.sha1, it would only compare hash values, and SignatureValue was never checked within SignerInfo. This issue could lead to signature forgeries.
Package: poppler (Red Hat Enterprise Linux 10) - Fix deferred
Package: poppler (Red Hat Enterprise Linux 6) - Fix deferred
Package: poppler (Red Hat Enterprise Linux 7) - Fix deferred
Package: poppler (Red Hat Enterprise Linux 8) - Fix deferred
Package: poppler (Red Hat Enterprise Linux 9) - Fix deferred
Debian
CVE-2025-43903: poppler - NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7...
vendor_debian·2025·CVSS 4.3
CVE-2025-43903 [MEDIUM] CVE-2025-43903: poppler - NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7...
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 25.03.0-4)
sid: resolved (fixed in 25.03.0-4)
trixie: resolved (fixed in 25.03.0-4)
OSV
CVE-2025-43903: NSSCryptoSignBackend
osv·2025-04-18·CVSS 3.3
CVE-2025-43903 [LOW] CVE-2025-43903: NSSCryptoSignBackend
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
GHSA
GHSA-4w9g-4h2x-7qxq: NSSCryptoSignBackend
ghsa_unreviewed·2025-04-18
CVE-2025-43903 [MEDIUM] CWE-347 GHSA-4w9g-4h2x-7qxq: NSSCryptoSignBackend
NSSCryptoSignBackend.cc in Poppler before 25.04.0 does not verify the adbe.pkcs7.sha1 signatures on documents, resulting in potential signature forgeries.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-04-18
Published