CVE-2025-64512

CWE-502Deserialization of Untrusted DataCWE-9159 documents6 sources
Severity
7.8HIGH
EPSS
0.1%
top 78.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pdfminer Pdfminer.sixDebian Debian Linux
Timeline
PublishedNov 10
Latest updateFeb 3

Description

Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for extracting information from PDF documents. Prior to version 20251107, pdfminer.six will execute arbitrary code from a malicious pickle file if provided with a malicious PDF file. The `CMapDB._load_data()` function in pdfminer.six uses `pickle.loads()` to deserialize pickle files. These pickle files are supposed to be part of the pdfminer.six distribution stored in the `cmap/` directory, but a malicious PDF can speci

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages5 packages

PyPIpdfminer-six< 20251107
PyPIpdfminer.six< 20251107
CVEListV5pdfminer/pdfminer.six< 20251107
NVDpdfminer/pdfminer.six< 2025-11-07
Debianpdfminer< 20200726-1+deb11u1+3

Also affects: Debian Linux 11.0

Patches

Patch: github.com

🔴Vulnerability Details

6
GHSA
Duplicate Advisory: Insecure Deserialization (pickle) in pdfminer.six CMap Loader — Local Privesc2026-02-03
OSV
CVE-2025-64512: Pdfminer2025-11-10
CVEList
pdfminer.six vulnerable to Arbitrary Code Execution via Crafted PDF Input2025-11-10
GHSA
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input2025-11-07
OSV
Arbitrary Code Execution in pdfminer.six via Crafted PDF Input2025-11-07

📋Vendor Advisories

1
Debian
CVE-2025-64512: pdfminer - Pdfminer.six is a community maintained fork of the original PDFMiner, a tool for...2025